{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5482", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-04-03T09:53:14.018Z", "datePublished": "2026-06-15T11:44:46.963Z", "dateUpdated": "2026-06-15T12:32:39.368Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Responsive FileManager", "programFiles": ["filemanager/dialog.php"], "repo": "https://github.com/trippo/ResponsiveFilemanager", "vendor": "Tecrail", "versions": [{"lessThanOrEqual": "9.14.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kamil Szczurowski"}, {"lang": "en", "type": "finder", "value": "Robert Kruczek"}], "datePublic": "2026-06-15T11:44:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Responsive FileManager's allows an <span style=\"background-color: rgb(255, 255, 255);\">unauthenticated&nbsp;</span>attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution.&nbsp;<br><br>This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release&nbsp;9.14.0&nbsp;"}], "value": "Responsive FileManager's allows an unauthenticated\u00a0attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution.\u00a0\n\nThis project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release\u00a09.14.0"}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-06-15T11:44:46.963Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2026/06/CVE-2026-5482"}, {"tags": ["product"], "url": "https://github.com/trippo/ResponsiveFilemanager"}], "source": {"discovery": "EXTERNAL"}, "tags": ["unsupported-when-assigned", "x_open-source"], "title": "Remote Code Execution via Unrestricted File Upload in Responsive FileManager", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-15T12:32:30.749356Z", "id": "CVE-2026-5482", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T12:32:39.368Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5482", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-15T12:32:30.749356Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T12:32:35.432Z"}}], "cna": {"tags": ["unsupported-when-assigned", "x_open-source"], "title": "Remote Code Execution via Unrestricted File Upload in Responsive FileManager", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Kamil Szczurowski"}, {"lang": "en", "type": "finder", "value": "Robert Kruczek"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/trippo/ResponsiveFilemanager", "vendor": "Tecrail", "product": "Responsive FileManager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "9.14.0"}], "programFiles": ["filemanager/dialog.php"], "defaultStatus": "unaffected"}], "datePublic": "2026-06-15T11:44:00.000Z", "references": [{"url": "https://cert.pl/en/posts/2026/06/CVE-2026-5482", "tags": ["third-party-advisory"]}, {"url": "https://github.com/trippo/ResponsiveFilemanager", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Responsive FileManager's allows an unauthenticated\u00a0attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution.\u00a0\n\nThis project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release\u00a09.14.0", "supportingMedia": [{"type": "text/html", "value": "Responsive FileManager's allows an <span style=\"background-color: rgb(255, 255, 255);\">unauthenticated&nbsp;</span>attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution.&nbsp;<br><br>This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release&nbsp;9.14.0&nbsp;", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-06-15T11:44:46.963Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5482", "state": "PUBLISHED", "dateUpdated": "2026-06-15T12:32:39.368Z", "dateReserved": "2026-04-03T09:53:14.018Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2026-06-15T11:44:46.963Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.2"}

{"cveTags": [{"sourceIdentifier": "cvd@cert.pl", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Responsive FileManager's allows an unauthenticated\u00a0attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution.\u00a0\n\nThis project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release\u00a09.14.0"}], "id": "CVE-2026-5482", "lastModified": "2026-06-15T12:16:25.947", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2026-06-15T12:16:25.947", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2026/06/CVE-2026-5482"}, {"source": "cvd@cert.pl", "url": "https://github.com/trippo/ResponsiveFilemanager"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "cvd@cert.pl", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,9.14.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Responsive FileManager", "source": "cna", "vendor": "Tecrail"}, "product": "responsive_filemanager", "vendor": "tecrail"}], "created": "2026-06-15T13:30:05.106434+00:00", "updated": "2026-06-15T13:30:05.226593+00:00", "vendors": ["tecrail", "tecrail$PRODUCT$responsive_filemanager"]}