CVE-2026-37266
Description
An issue in Responsive File Manager Responsive FileManager Version 9.14.0 allows a remote attacker to execute arbitrary code via the force_download.php component
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated LFI and arbitrary file creation vulnerability in Responsive FileManager 9.14.0 allows remote code execution via the force_download.php component.
Vulnerability
An issue in Responsive FileManager version 9.14.0 allows a remote attacker to exploit a Local File Inclusion (LFI) and arbitrary file creation vulnerability via the force_download.php component and the name parameter [1][2]. The software is a PHP-based file manager that handles file storage and retrieval. Version 9.14.0 is affected; the project has been discontinued and no fixes are available [1][2].
Exploitation
An attacker can send a crafted HTTP request to filemanager/force_download.php with a malicious name parameter containing path traversal sequences (e.g., ../../../etc/passwd) to read arbitrary files from the server [2]. No authentication is required because the file manager's uploaded content is intended to be publicly accessible. Additionally, the attacker can upload files of arbitrary types (including PHP scripts) despite built-in controls, leading to remote code execution [2].
Impact
Successful exploitation allows an unauthenticated remote attacker to read sensitive files (e.g., passwords, configuration details, source code) and create arbitrary files on the server, potentially leading to full host compromise, data breaches, and service disruption [2]. The LFI can serve as a stepping stone for further attacks [2].
Mitigation
No patch is available; Responsive FileManager version 9.14.0 is the final release and the project has been discontinued [1][2]. The only effective mitigation is to disable or remove the component entirely and migrate to an actively maintained alternative file manager [2].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 9.14.0+ 1 more
- (no CPE)range: = 9.14.0
- (no CPE)range: = 9.14.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient input validation in force_download.php allows a remote attacker to execute arbitrary code."
Attack vector
A remote attacker can send a crafted request to the `force_download.php` endpoint to trigger arbitrary code execution. The advisory does not detail the exact payload shape or preconditions, but the attack is network-based and requires no authentication. The vulnerability allows an attacker to execute arbitrary code on the server by exploiting insufficient input validation in the download handling logic [ref_id=1].
Affected code
The vulnerability is in the `force_download.php` component of Responsive FileManager version 9.14.0. The advisory does not specify the exact function or line within that file, but the component is responsible for handling forced file downloads.
What the fix does
The advisory for version 9.14.0 lists "fix Critical Security" as one of the changes but does not provide a specific patch diff or describe the remediation in detail. No patch file is included in the bundle. The vendor's changelog indicates the issue was addressed in version 9.14.0, but the exact fix mechanism is not documented in the available materials.
Preconditions
- networkThe attacker must be able to reach the force_download.php endpoint over the network.
- authNo authentication is required based on the advisory description.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.