CVE-2022-45476

CRITICAL

Tiny File Manager 2.4.8 - Unrestricted Upload of File with Dangerous Type

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-45476. PoCs published by dugisan3rd.

AI-analyzed exploit summary The repository contains functional exploit code for multiple CVEs, including SSRF in request-baskets (CVE-2023-27163) and RCE in Chamilo LMS (CVE-2023-4220). The scripts demonstrate the vulnerabilities by crafting specific API requests or file uploads to achieve exploitation.

Description

Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.

Exploits (1)

github WORKING POC
by dugisan3rd · pythonpoc
https://github.com/dugisan3rd/exploit/tree/main/TinyFM-RCE (CVE-2022-45476)

The repository contains functional exploit code for multiple CVEs, including SSRF in request-baskets (CVE-2023-27163) and RCE in Chamilo LMS (CVE-2023-4220). The scripts demonstrate the vulnerabilities by crafting specific API requests or file uploads to achieve exploitation.

Classification
Working Poc 95%
Attack Type
Ssrf | Rce
Complexity
Moderate
Reliability
Reliable
Target: request-baskets <= v1.2.1, Chamilo LMS <= v1.11.24
No auth needed
Prerequisites: network access to target · Python environment with required libraries
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0098
EPSS Percentile 57.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
prasathmani/tiny_file_manager 2.4.8
Published Nov 25, 2022
Tracked Since Feb 18, 2026