CVE-2026-6497

Name of the Vulnerable Software and Affected Versions prasathmani TinyFileManager versions prior to 2.7

Description An issue in the File Upload Handler component allows for server-side request forgery, a flaw where an attacker can induce the server to make requests to an unintended location. This occurs through the manipulation of the uploadurl argument within the '/filemanager.php?p= ajax=true&type=upload' endpoint. The attack can be initiated remotely.

Recommendations Update to a version newer than 2.6. As a temporary workaround, restrict access to the '/filemanager.php?p= ajax=true&type=upload' endpoint or avoid using the uploadurl parameter until a patch is applied.