Platform
laravel
Component
laravel
Fixed in
2.0.1
CVE-2019-25673 describes an arbitrary file access vulnerability discovered in UniSharp Laravel File Manager versions 2.0.0-alpha7 and 2.0. An authenticated attacker can exploit this flaw to upload malicious files, potentially leading to remote code execution. The vulnerability is addressed in version 2.0.1, and users are strongly advised to upgrade immediately.
This vulnerability allows authenticated users to upload arbitrary files to the UniSharp Laravel File Manager. Crucially, attackers can upload PHP files by manipulating the 'type' parameter during the upload process. Once uploaded, these malicious PHP files can be executed by accessing them through the file manager's working directory path. This effectively grants the attacker remote code execution capabilities on the server hosting the application. The potential impact includes complete server compromise, data theft, and the ability to install backdoors for persistent access.
While no active exploitation campaigns have been publicly reported, the ease of exploitation and the potential for remote code execution make this vulnerability a significant concern. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of exploitation. This CVE was published on 2026-04-05. The vulnerability's impact is comparable to other file upload vulnerabilities that lead to remote code execution, highlighting the importance of prompt remediation.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2019-25673 is to upgrade UniSharp Laravel File Manager to version 2.0.1 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing strict file type validation on the upload endpoint to prevent the upload of PHP files. Additionally, restrict access to the file manager's working directory to only authorized users and processes. Implement a Web Application Firewall (WAF) rule to block requests containing suspicious file extensions or parameters. After upgrading, verify the fix by attempting to upload a PHP file and confirming that the upload fails with an appropriate error message.
Update to version 2.0.1 or higher to mitigate the arbitrary file upload vulnerability. This update corrects file type validation, preventing the execution of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25673 is a vulnerability in UniSharp Laravel File Manager allowing authenticated users to upload and execute malicious files, potentially leading to remote code execution.
You are affected if you are using UniSharp Laravel File Manager versions 2.0.0-alpha7 or 2.0 and have not upgraded to version 2.0.1 or later.
Upgrade UniSharp Laravel File Manager to version 2.0.1 or later. Implement strict file type validation and restrict access to the file manager's working directory as temporary mitigations.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a significant concern and potential target.
Refer to the UniSharp Laravel File Manager project repository or related security advisories for the official advisory regarding CVE-2019-25673.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.