CVE-2025-46001

CRITICAL

simogeo Filemanager 2.3.0 - Arbitrary File Upload via is_allowed_file_type() Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-46001. PoCs published by HaHwul.

AI-analyzed exploit summary This exploit demonstrates a path traversal vulnerability and a file upload vulnerability in SIMOGEO FileManager 2.3.0. The path traversal allows reading arbitrary files by bypassing input filters, while the file upload vulnerability enables arbitrary file upload and extension manipulation to achieve remote code execution.

Description

An arbitrary file upload vulnerability in the is_allowed_file_type() function of Filemanager v2.3.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.

Exploits (1)

exploitdb WORKING POC VERIFIED
by HaHwul · textwebappsphp
https://www.exploit-db.com/exploits/38895

This exploit demonstrates a path traversal vulnerability and a file upload vulnerability in SIMOGEO FileManager 2.3.0. The path traversal allows reading arbitrary files by bypassing input filters, while the file upload vulnerability enables arbitrary file upload and extension manipulation to achieve remote code execution.

Classification
Working Poc 90%
Attack Type
Info Leak | Rce
Complexity
Trivial
Reliability
Reliable
Target: SIMOGEO FileManager 2.3.0
No auth needed
Prerequisites: Network access to the target application · FileManager application deployed and accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0145
EPSS Percentile 81.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (2)
simogeo/filemanager 0Packagist
simogeo/filemanager 0.8 - 1.1
Published Jul 18, 2025
Tracked Since Feb 18, 2026