CVE-2022-40734

MEDIUM EXPLOITED IN THE WILD NUCLEI

Unisharp Laravel Filemanager < 2.5.1 - Path Traversal

Title source: rule

Description

UniSharp laravel-filemanager (aka Laravel Filemanager) before 2.6.4 allows download?working_dir=%2F.. directory traversal to read arbitrary files, as exploited in the wild in June 2022. This is related to league/flysystem before 2.0.0.

Nuclei Templates (1)

Laravel Filemanager v2.5.1 - Local File Inclusion

MEDIUMVERIFIEDby arafatansari

Shodan: http.html:"Laravel Filemanager" || http.html:"laravel filemanager"

FOFA: body="laravel filemanager"

References (3)

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/UniSharp/laravel-filemanager/issues/1150

[Issue Tracking] https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1320186966

[Issue Tracking] https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1825310417

Scores

CVSS v3 6.5

EPSS 0.9174

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2022-09-14

InTheWild.io 2022-09-14

CWE

CWE-22

Status published

Products (2)

unisharp/laravel-filemanager 0 - 2.6.4Packagist

unisharp/laravel_filemanager < 2.5.1

Published Sep 14, 2022

Tracked Since Feb 18, 2026