{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6496", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-17T08:39:23.244Z", "datePublished": "2026-04-17T14:30:12.997Z", "dateUpdated": "2026-04-17T16:35:16.121Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-17T14:30:12.997Z"}, "title": "prasathmani TinyFileManager POST Parameter filemanager.php path traversal", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "Path Traversal"}]}], "affected": [{"vendor": "prasathmani", "product": "TinyFileManager", "versions": [{"version": "2.0", "status": "affected"}, {"version": "2.1", "status": "affected"}, {"version": "2.2", "status": "affected"}, {"version": "2.3", "status": "affected"}, {"version": "2.4", "status": "affected"}, {"version": "2.5", "status": "affected"}, {"version": "2.6", "status": "affected"}], "modules": ["POST Parameter Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in prasathmani TinyFileManager up to 2.6. Affected is an unknown function of the file /filemanager.php of the component POST Parameter Handler. The manipulation of the argument file[] results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-17T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-17T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-17T10:44:33.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "0xNayel (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358039", "name": "VDB-358039 | prasathmani TinyFileManager POST Parameter filemanager.php path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358039/cti", "name": "VDB-358039 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/787942", "name": "Submit #787942 | github.com/prasathmani tinyfilemanager 2.6 Path Traversal", "tags": ["third-party-advisory"]}, {"url": "https://drive.google.com/file/d/14taA8w3e5z3gl4WttpB4_CquwQdz1i6r/view?usp=sharing", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T16:35:04.338813Z", "id": "CVE-2026-6496", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T16:35:16.121Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6496", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-17T16:35:04.338813Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T16:35:11.876Z"}}], "cna": {"title": "prasathmani TinyFileManager POST Parameter filemanager.php path traversal", "credits": [{"lang": "en", "type": "reporter", "value": "0xNayel (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "prasathmani", "modules": ["POST Parameter Handler"], "product": "TinyFileManager", "versions": [{"status": "affected", "version": "2.0"}, {"status": "affected", "version": "2.1"}, {"status": "affected", "version": "2.2"}, {"status": "affected", "version": "2.3"}, {"status": "affected", "version": "2.4"}, {"status": "affected", "version": "2.5"}, {"status": "affected", "version": "2.6"}]}], "timeline": [{"lang": "en", "time": "2026-04-17T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-17T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-17T10:44:33.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/358039", "name": "VDB-358039 | prasathmani TinyFileManager POST Parameter filemanager.php path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358039/cti", "name": "VDB-358039 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/787942", "name": "Submit #787942 | github.com/prasathmani tinyfilemanager 2.6 Path Traversal", "tags": ["third-party-advisory"]}, {"url": "https://drive.google.com/file/d/14taA8w3e5z3gl4WttpB4_CquwQdz1i6r/view?usp=sharing", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in prasathmani TinyFileManager up to 2.6. Affected is an unknown function of the file /filemanager.php of the component POST Parameter Handler. The manipulation of the argument file[] results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Path Traversal"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-17T14:30:12.997Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6496", "state": "PUBLISHED", "dateUpdated": "2026-04-17T16:35:16.121Z", "dateReserved": "2026-04-17T08:39:23.244Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-17T14:30:12.997Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in prasathmani TinyFileManager up to 2.6. Affected is an unknown function of the file /filemanager.php of the component POST Parameter Handler. The manipulation of the argument file[] results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6496", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-17T15:16:52.480", "references": [{"source": "cna@vuldb.com", "url": "https://drive.google.com/file/d/14taA8w3e5z3gl4WttpB4_CquwQdz1i6r/view?usp=sharing"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/787942"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358039"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358039/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.6"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "TinyFileManager", "source": "cna", "vendor": "prasathmani"}, "product": "tiny_file_manager", "vendor": "prasathmani"}], "analysis": {"en": {"generated_at": "2026-04-18T09:16:27.070632+00:00", "value": {"mitigation_remediation": ["Upgrade TinyFileManager to a version that includes a fix for the file[] input handling, if a vendor patch has been released.", "Sanitize the file[] parameter server\u2011side by rejecting any value that contains '..' or absolute path indicators and restricting the allowed characters to safe path fragments. ", "Restrict access to filemanager.php by requiring proper authentication and authorisation, and consider disabling or removing the filemanager module if it is not required for production use."], "summary": {"action": "Apply Patch", "impact": "Path Traversal \u2013 Arbitrary File Access"}, "threat_synthesis": {"affected_systems": "The affected component is prasathmani TinyFileManager, any installation where the filemanager.php handler is exposed, specifically versions up to 2.6. No earlier versions have been indicated or patched by the vendor.", "description_and_impact": "A path\u2011traversal flaw exists in prasathmani TinyFileManager versions up to 2.6. The vulnerability is triggered through manipulation of the POST parameter file[] in the filemanager.php handler. By sending specially crafted values containing directory traversal sequences, an attacker can cause the server to resolve paths outside the intended directory, potentially reading arbitrary files from the filesystem. The flaw is exploitable remotely, and a public exploit has been released, demonstrating the practical risk to deployed instances.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed large\u2011scale exploitation yet. The attack vector is likely a remote HTTP POST request to filemanager.php with a crafted file[] parameter. Successful exploitation would grant the attacker read access to files on the server, potentially exposing sensitive data or configuration files. The vulnerability does not inherently provide code execution but could be leveraged in a broader compromise if sensitive files are read or if an attacker later injects code via other channels."}}}}, "created": "2026-04-17T20:40:08.867973+00:00", "updated": "2026-04-18T09:30:25.677396+00:00", "vendors": ["prasathmani", "prasathmani$PRODUCT$tiny_file_manager"]}