CVE-2026-5482

Vulnerability

An unauthenticated attacker can upload files of any type and extension without restriction via the dialog.php endpoint in Responsive FileManager. The vulnerability affects all versions through 9.14.0, which is the latest release. The project is unmaintained. The issue is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). [1][2]

Exploitation

The attacker does not require authentication or any special privileges. By sending a crafted HTTP request to the vulnerable dialog.php endpoint, the attacker can upload arbitrary files (e.g., a PHP web shell). No user interaction is needed. The upload is unrestricted in file type and extension. [1][2]

Impact

Successful exploitation allows the attacker to achieve Remote Code Execution (RCE) on the server with the privileges of the web server. This leads to full compromise of the affected application and potentially the underlying system, including information disclosure, data modification, and further lateral movement. [2]

Mitigation

No fix is available because the project is unmaintained. The vendor has not released a patched version. As of publication, there is no known workaround. Users are strongly advised to replace or remove the affected software. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. [1][2]