High severity8.8NVD Advisory· Published Oct 28, 2025· Updated Apr 15, 2026
CVE-2025-56399
CVE-2025-56399
Description
alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to .php`, and upon accessing it via a public URL, the server executes the embedded code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=3.3.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.