CVE-2026-6497 MEDIUM

CVE-2026-6497: prasathmani TinyFileManager File Upload filemanager.php server-side request forgery

Vendor Prasathmani

Product TinyFileManager

Weakness CWE-918 · SSRF

Published April 17, 2026

Last update April 17, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A vulnerability was determined in prasathmani TinyFileManager up to 2.6. Affected by this vulnerability is an unknown functionality of the file /filemanager.php?p= ajax=true&type=upload of the component File Upload Handler. This manipulation of the argument uploadurl causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

Disclosure timeline

April 17, 2026 CVE published

April 17, 2026 Record updated

Identifiers

CVE CVE-2026-6497

CWE CWE-918

CVSS 5.3 / MEDIUM

Affected versions

Vendor Prasathmani

Product TinyFileManager

Affected 2.0

Vendor Prasathmani

Product TinyFileManager

Affected 2.1

Vendor Prasathmani

Product TinyFileManager

Affected 2.2

Vendor Prasathmani

Product TinyFileManager

Affected 2.3

Vendor Prasathmani

Product TinyFileManager

Affected 2.4

Vendor Prasathmani

Product TinyFileManager

Affected 2.5

Vendor Prasathmani

Product TinyFileManager

Affected 2.6