CVE-2025-56399

HIGH

alexusmai laravel-file-manager <3.3.1 - Authenticated RCE

Title source: llm

Description

alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png` extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to `.php`, and upon accessing it via a public URL, the server executes the embedded code.

Exploits (2)

nomisec WRITEUP 3 stars
by Theethat-Thamwasin · poc
https://github.com/Theethat-Thamwasin/CVE-2025-56399
nomisec WORKING POC
by im-hanzou · poc
https://github.com/im-hanzou/CVE-2025-56399

References (2)

Scores

CVSS v3 8.8
EPSS 0.0020
EPSS Percentile 41.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Published Oct 28, 2025
Tracked Since Feb 18, 2026