High severityOSV Advisory· Published Dec 4, 2025· Updated Dec 5, 2025

CVE-2025-65346

Description

alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The unzip/extraction functionality improperly allows archive contents to be written to arbitrary locations on the filesystem due to insufficient validation of extraction paths.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
alexusmai/laravel-file-managerPackagist	<= 3.3.1	—

Affected products

Alexusmai/Laravel File ManagerOSV
Range: 1.0.0, 1.0.1, 1.0.2, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-q5hg-wppq-r2ccghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-65346ghsaADVISORY
github.com/Theethat-Thamwasin/CVE-2025-65346/blob/main/POC-CVE-65346.mdghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000