CVE-2025-46651

MEDIUM EPSS 16.7%

Published Feb 3, 20264mo ago · Modified Jun 17, 20261w ago

4.3 CVSS 3.1

Medium

Published Feb 3, 2026 4mo ago

Last Modified Jun 17, 2026 1w ago

Description

Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain name. This may lead to unauthorized port scanning or access to internal-only services.

CVSS Details

Base Score

4.3

Exploitability

2.8

Impact

1.4

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

16.7% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 1

Vendor	Product	Version	Range
prasathmani	tiny_file_manager	*	≤2.6

References 2

github.com https://github.com/RobertoLuzanilla/tinyfilemanager-security-advisories/blob/main/CVE-2025-46651.md

MitigationThird Party Advisory
github.com https://github.com/prasathmani/tinyfilemanager/blob/master/tinyfilemanager.php#L608

Product

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.