CVE-2025-65346

CRITICAL

alexusmai/laravel-file-manager < 3.3.1 - Directory Traversal via Archive Extraction

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-65346. PoCs published by Theethat-Thamwasin.

AI-analyzed exploit summary This repository contains a detailed writeup for CVE-2025-65346, describing an authenticated path traversal vulnerability in laravel-file-manager v3.3.1 and below, allowing arbitrary file write during ZIP extraction. The flaw can lead to remote code execution by overwriting critical files.

Description

alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The unzip/extraction functionality improperly allows archive contents to be written to arbitrary locations on the filesystem due to insufficient validation of extraction paths.

Exploits (1)

nomisec WRITEUP
by Theethat-Thamwasin · poc
https://github.com/Theethat-Thamwasin/CVE-2025-65346

This repository contains a detailed writeup for CVE-2025-65346, describing an authenticated path traversal vulnerability in laravel-file-manager v3.3.1 and below, allowing arbitrary file write during ZIP extraction. The flaw can lead to remote code execution by overwriting critical files.

Classification
Writeup 100%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: laravel-file-manager v3.3.1 and below
Auth required
Prerequisites: Access to the application's unzip functionality · Ability to upload or provide a crafted ZIP archive
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.1
EPSS 0.0018
EPSS Percentile 39.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-22
Status published
Products (2)
alexusmai/laravel-file-manager 0Packagist
alexusmai/laravel_file_manager < 3.3.1
Published Dec 04, 2025
Tracked Since Feb 18, 2026