CVE-2025-15138

Published: Dec 28, 2025Modified: Apr 29, 2026

2.0

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: CNA (Secondary)

Description

A flaw has been found in prasathmani TinyFileManager up to 2.6. Affected by this issue is some unknown functionality of the file tinyfilemanager.php. This manipulation of the argument fullpath causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected (1)

Products: Prasathmani: Tiny File Manager

1 product

Tiny File Manager

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Prasathmani Tiny File Manager	Up to 2.6

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (4)

https://mesquite-dream-86b.notion.site/tinyfilemanager-File-Upload-RCE-Report-2c7512562197800d86b3e68534a56a91

Source: cna@vuldb.com

ExploitThird Party Advisory

https://vuldb.com/?ctiid.338516

Source: cna@vuldb.com

Permissions RequiredVDB Entry

https://vuldb.com/?id.338516

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://vuldb.com/?submit.714177

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

Timeline

No history available yet.