CVE-2019-25673

State: PUBLISHED · Published: 2026-04-05 · Updated: 2026-04-06 · Assigner: VulnCheck

Description

UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set to Files and execute arbitrary code by accessing the uploaded file through the working directory path.

CWE

CWE-434 — Unrestricted Upload of File with Dangerous Type

Affected

UniSharp / Laravel File Manager — v=2.0.0 [affected]

CVSS

4.0 score=8.7 severity=HIGH CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3.1 score=8.8 severity=HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

https://www.exploit-db.com/exploits/46389 exploit
https://github.com/UniSharp/laravel-filemanager product
https://github.com/UniSharp/laravel-filemanager/issues/356 product
https://www.vulncheck.com/advisories/unisharp-laravel-file-manager-alpha7-arbitrary-file-upload third-party-advisory

Source

cvelistV5-main/cves/2019/25xxx/CVE-2019-25673.json