CVE-2026-37266
Remote Code Execution in Responsive File Manager
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| responsive_file_manager | responsive_filemanager | 9.14.0 |
| responsive_file_manager | responsive_filemanager | to 9.14.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Responsive File Manager version 9.14.0, specifically in the force_download.php component. It allows a remote attacker to execute arbitrary code on the affected system.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could run arbitrary code remotely, potentially gaining unauthorized control over the affected system. This could lead to data theft, system compromise, or further attacks within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerabilities in Responsive FileManager Version 9.14.0, including Local File Inclusion and arbitrary file creation leading to potential full server compromise, can result in unauthorized access to sensitive data and system control.
Such security issues increase the risk of data breaches, which can lead to non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.
Since the project has been discontinued and no fixes will be provided, organizations using this software remain exposed, potentially violating compliance requirements related to maintaining secure systems and protecting data confidentiality and integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for exploitation attempts targeting the 'force_download.php' component and the 'execute.php' component in Responsive FileManager version 9.14.0.
- Monitor web server logs for suspicious requests manipulating the 'name' parameter in URLs such as 'filemanager/force_download.php?name=...' which may indicate attempts to exploit Local File Inclusion (LFI).
- Look for HTTP requests to 'execute.php' with the 'create_file' action and path traversal patterns in the 'name' parameter that could indicate attempts to upload or execute arbitrary files.
- Use commands like 'grep' on your web server access logs to find suspicious patterns, for example:
- grep -i 'force_download.php' /var/log/apache2/access.log | grep -E 'name=.*\.\./'
- grep -i 'execute.php' /var/log/apache2/access.log | grep -E 'create_file.*name=.*\.\./'
Additionally, scanning the server for unexpected or newly created PHP files in web-accessible directories may help detect successful exploitation.
What immediate steps should I take to mitigate this vulnerability?
Since Responsive FileManager version 9.14.0 is permanently vulnerable and the project has been discontinued with no fixes available, immediate mitigation steps include:
- Disable or restrict access to the 'force_download.php' and 'execute.php' components to prevent exploitation.
- Implement strict access controls and authentication to limit who can access the file manager functionality.
- Consider removing or replacing Responsive FileManager with a maintained and secure alternative.
- Monitor your system for signs of compromise and unauthorized file uploads or modifications.
Applying web application firewall (WAF) rules to block malicious requests targeting these vulnerabilities can also help reduce risk.