CVE-2025-56399

Name of the Vulnerable Software and Affected Versions laravel-file-manager versions 3.3.1 and before

Description An authenticated attacker can achieve Remote Code Execution (RCE) by uploading a crafted file. A file with a '.png' extension containing PHP code can be uploaded through the file manager interface. While client-side validation may indicate upload failure, the file is saved on the server. The attacker can then use the rename API to change the file extension to '.php', and accessing it via a public URL results in server-side code execution. The vulnerable API endpoint used for renaming is not specified. The vulnerable parameter used for file upload is not specified.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.