CVE-2025-46002
Description
An issue in Filemanager v2.5.0 and below allows attackers to execute a directory traversal via sending a crafted HTTP request to the filemanager.php endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Filemanager v2.5.0 and below contains a directory traversal vulnerability in filemanager.php, allowing unauthenticated attackers to read arbitrary files.
Vulnerability
CVE-2025-46002 is a directory traversal vulnerability affecting Simogeo Filemanager version 2.5.0 and earlier. The flaw exists in the filemanager.php endpoint, where user-supplied path parameters are not properly sanitized, enabling path traversal sequences (e.g., ....//) to bypass validation. [1][2][3]
Exploitation
An attacker can send crafted HTTP requests to the PHP connector, manipulating the path parameter in modes such as preview, getfolder, getinfo, or download. Depending on the version, unauthenticated access is possible, requiring no prior authentication or session. [3]
Impact
Successful exploitation allows an attacker to read arbitrary files on the server filesystem, including sensitive configuration files, system files (e.g., /etc/passwd), and application source code. This can lead to further compromise through credential disclosure or information leakage. [3]
Mitigation
The project is deprecated, and no official patch for the latest affected version exists. However, versions 2.4.0 and 2.5.0 include proper input validation that mitigates the vulnerability. Users are strongly advised to migrate to the recommended RichFileManager fork or implement strict input validation and access controls on the filemanager.php endpoint. [1][3]
- GitHub - simogeo/Filemanager: An open-source file manager released under MIT license. Up-to-date for PHP connector. This package is DEPRECATED. Now, please use RichFileManager available at : https://github.com/servocoder/RichFilemanager.
- NVD - CVE-2025-46002
- CVE-List/CVE-2025-46002/CVE-2025-46002.md at main · zakumini/CVE-List
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
simogeo/filemanagerPackagist | <= 2.5.0 | — |
Affected products
2- Filemanager/Filemanagerdescription
- Range: <=2.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-r7q6-6fmq-mx4cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-46002ghsaADVISORY
- github.com/simogeo/Filemanager/releases/tag/v1.7.0ghsaWEB
- github.com/simogeo/Filemanager/releases/tag/v1.8.0ghsaWEB
- github.com/simogeo/Filemanager/releases/tag/v2.0.0ghsaWEB
- github.com/simogeo/Filemanager/releases/tag/v2.1.0ghsaWEB
- github.com/simogeo/Filemanager/releases/tag/v2.2.0ghsaWEB
- github.com/simogeo/Filemanager/releases/tag/v2.3.0ghsaWEB
- github.com/zakumini/CVE-List/blob/main/CVE-2025-46002/CVE-2025-46002.mdghsaWEB
- www.exploit-db.com/exploits/38945ghsaWEB
News mentions
0No linked articles in our index yet.