CVE-2025-46651

Published: Feb 3, 2026Modified: Feb 10, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain name. This may lead to unauthorized port scanning or access to internal-only services.

Affected (1)

Products: Prasathmani: Tiny File Manager

1 product

Tiny File Manager

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Prasathmani Tiny File Manager	Up to 2.6

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://github.com/RobertoLuzanilla/tinyfilemanager-security-advisories/blob/main/CVE-2025-46651.md

Source: cve@mitre.org

Third Party AdvisoryMitigation

https://github.com/prasathmani/tinyfilemanager/blob/master/tinyfilemanager.php#L608

Source: cve@mitre.org

Product

Timeline

No history available yet.