CVE-2025-63307

HIGH EPSS 23.9%
Published Nov 6, 20257mo ago · Modified Jun 17, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published Nov 6, 2025 7mo ago
Last Modified Jun 17, 2026 1w ago

Description

alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting (XSS). The application permits user-controlled upload, create, and rename of files to HTML and SVG types and serves those files inline without adequate content-type validation or output sanitization.

CVSS Details

Base Score
8.1
Exploitability
1.7
Impact
5.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
23.9% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
alexusmailaravel_file_manager3.3.1any

References 3

  • github.com https://github.com/Theethat-Thamwasin/CVE-2025-63307
    Third Party Advisory
  • github.com https://github.com/Theethat-Thamwasin/CVE-2025-63307/blob/main/POC-CVE-63307.md
    ExploitThird Party Advisory
  • github.com https://github.com/alexusmai/laravel-file-manager
    Product

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.