{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25673", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-05T13:17:49.662Z", "datePublished": "2026-04-05T20:45:25.829Z", "dateUpdated": "2026-04-06T15:54:09.561Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-05T20:45:25.829Z"}, "datePublic": "2019-02-15T00:00:00.000Z", "title": "UniSharp Laravel File Manager v2.0.0-alpha7 Arbitrary File Upload", "descriptions": [{"lang": "en", "value": "UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set to Files and execute arbitrary code by accessing the uploaded file through the working directory path."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "affected": [{"vendor": "UniSharp", "product": "Laravel File Manager", "versions": [{"version": "2.0.0", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46389", "name": "ExploitDB-46389", "tags": ["exploit"]}, {"url": "https://github.com/UniSharp/laravel-filemanager", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://github.com/UniSharp/laravel-filemanager/issues/356", "name": "Source Code Repository", "tags": ["product"]}, {"name": "VulnCheck Advisory: UniSharp Laravel File Manager v2.0.0-alpha7 Arbitrary File Upload", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/unisharp-laravel-file-manager-alpha7-arbitrary-file-upload"}], "credits": [{"lang": "en", "value": "Mohammad Danish", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:53:46.706479Z", "id": "CVE-2019-25673", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:54:09.561Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "UniSharp Laravel File Manager v2.0.0-alpha7 Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Mohammad Danish"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "UniSharp", "product": "Laravel File Manager", "versions": [{"status": "affected", "version": "2.0.0"}]}], "datePublic": "2019-02-15T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/46389", "name": "ExploitDB-46389", "tags": ["exploit"]}, {"url": "https://github.com/UniSharp/laravel-filemanager", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://github.com/UniSharp/laravel-filemanager/issues/356", "name": "Source Code Repository", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/unisharp-laravel-file-manager-alpha7-arbitrary-file-upload", "name": "VulnCheck Advisory: UniSharp Laravel File Manager v2.0.0-alpha7 Arbitrary File Upload", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set to Files and execute arbitrary code by accessing the uploaded file through the working directory path."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-05T20:45:25.829Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-25673", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T15:53:46.706479Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-06T15:54:03.464Z"}}]}, "cveMetadata": {"cveId": "CVE-2019-25673", "state": "PUBLISHED", "dateUpdated": "2026-04-05T20:45:25.829Z", "dateReserved": "2026-04-05T13:17:49.662Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-05T20:45:25.829Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set to Files and execute arbitrary code by accessing the uploaded file through the working directory path."}], "id": "CVE-2019-25673", "lastModified": "2026-04-16T16:15:56.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-05T21:16:45.113", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/UniSharp/laravel-filemanager"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/UniSharp/laravel-filemanager/issues/356"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/46389"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/unisharp-laravel-file-manager-alpha7-arbitrary-file-upload"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Laravel File Manager", "source": "cna", "vendor": "UniSharp"}, "product": "laravel-filemanager", "vendor": "unisharp"}], "analysis": {"en": {"generated_at": "2026-04-05T23:24:14.517619+00:00", "value": {"mitigation_remediation": ["Check UniSharp's GitHub releases for a version that fixes the arbitrary file upload issue", "If no fix is available, temporarily disable the upload endpoint or restrict uploads to image file types only", "Implement server\u2011side validation to reject files with PHP extensions and enforce MIME type checks"], "summary": {"action": "Immediate patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is UniSharp Laravel File Manager, versions 2.0.0-alpha7 and 2.0.", "description_and_impact": "The vulnerability allows an authenticated attacker to upload arbitrary files, specifically PHP scripts, to the file manager via multipart form data. Executing one of these uploaded scripts gives the attacker the ability to run arbitrary PHP code on the server, compromising confidentiality, integrity, and availability of the system. The weakness is an arbitrary file upload flaw, identified as CWE-434.", "risk_and_exploitability": "The CVSS score of 8.7 indicates high severity, but EPSS data is missing, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be through the web application interface of the upload endpoint, requiring authentication to the file manager. Once authenticated, an attacker can craft a multipart request to upload a PHP file and then trigger it via the working directory path."}}}}, "created": "2026-04-06T20:22:43.377176+00:00", "updated": "2026-04-06T21:48:35.789276+00:00", "vendors": ["unisharp", "unisharp$PRODUCT$laravel-filemanager"]}