Hadi Mene

**Name of the Vulnerable Software and Affected Versions** Roxy Fileman version 1.4.6 **Description** The issue allows Remote Code Execution via a .phar upload. This is because the default FORBIDDEN UPLOADS value in conf.json only blocks .php, .php4, and .php5 files. In some web-server configurations, visiting any .phar file invokes the PHP interpreter. **Recommendations** For Roxy Fileman version 1.4.6, consider updating the FORBIDDEN UPLOADS value in conf.json to include .phar files to prevent Remote Code Execution via .phar uploads. As a temporary workaround, restrict access to .phar files to minimize the risk of exploitation.