CVE-2025-56399HIGH 8.8EPSS p38.9%

CVE-2025-56399CVE-2025-56399

Description

alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png` extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to `.php`, and upon accessing it via a public URL, the server executes the embedded code.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.50% probability of exploitation · percentile 38.9% · 2026-06-18T12:00:27Z
Published2025-10-28
Last modified2026-04-15

Underlying weaknesses· 1

CWE-94

References

  1. http://laravel-file-manager.com
  2. https://github.com/Theethat-Thamwasin/CVE-2025-56399

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-63307
CVE
CVE-2025-65346
CVE
CVE-2025-46001
CVE
CVE-2025-14894
CVE
CVE-2025-63994
CVE
WordPress File Manager Plugin Remote Code Execution Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.