CVE-2025-15138
Path Traversal in TinyFileManager.php Allows Remote Exploitation
Publication date: 2025-12-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| prasathmani | tinyfilemanager | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a path traversal flaw in the prasathmani TinyFileManager up to version 2.6. It occurs due to improper handling of the 'fullpath' argument in the tinyfilemanager.php file, allowing an attacker to manipulate the file path and potentially access unauthorized files on the server. The vulnerability can be exploited remotely, and an exploit has been published.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to access files outside the intended directory, potentially exposing sensitive information, modifying files, or causing denial of service. This can lead to information disclosure, integrity compromise, and availability issues on the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability compromises confidentiality, integrity, and availability of the affected system, which can lead to unauthorized access to sensitive data. Such impacts can negatively affect compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information. However, no specific compliance implications are detailed in the provided resources. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for instances of the vulnerable application using Google dorking with queries such as 'inurl:tinyfilemanager.php'. Additionally, monitoring for unusual requests manipulating the 'fullpath' parameter in HTTP requests to tinyfilemanager.php may help detect exploitation attempts. Specific commands are not provided, but network administrators can use web server logs to search for suspicious URL patterns containing directory traversal sequences or unusual 'fullpath' parameter values. [1]
What immediate steps should I take to mitigate this vulnerability?
There are no known countermeasures or mitigations published for this vulnerability. The recommended immediate step is to replace the affected software (prasathmani TinyFileManager versions up to 2.6) with an alternative product. Since the vulnerability requires authentication and allows path traversal leading to potential remote code execution, removing or disabling the vulnerable application is advised until a secure version or patch is available. [1]