Platform
php
Component
tinyfilemanager
Fixed in
2.0.1
2.1.1
2.2.1
2.3.1
2.4.1
2.5.1
2.6.1
CVE-2026-6496 describes a Path Traversal vulnerability discovered in TinyFileManager versions 2.0.0 through 2.6. This flaw allows attackers to potentially access sensitive files on the server by manipulating the file[] parameter within the /filemanager.php file. The vulnerability is remotely exploitable and a public exploit is already available, increasing the risk of exploitation. No vendor response has been received.
Successful exploitation of CVE-2026-6496 allows an attacker to read arbitrary files from the server's file system. This could include configuration files containing database credentials, source code, or other sensitive information. The attacker's ability to read these files depends on the server's file system permissions and the structure of the application. While the vulnerability is not directly capable of remote code execution, the information gained could be used to identify and exploit other vulnerabilities within the system. The public availability of an exploit significantly increases the likelihood of widespread attacks targeting vulnerable installations.
CVE-2026-6496 was published on April 17, 2026. The vulnerability is considered actively exploitable due to the public availability of a proof-of-concept (POC). The exploit targets the /filemanager.php file and leverages the file[] parameter to bypass access controls. The lack of a response from the vendor increases the risk of exploitation. The vulnerability is not currently listed on KEV or EPSS, but its public exploit warrants immediate attention.
Exploit Status
EPSS
0.02% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-6496 is to upgrade TinyFileManager to a version that addresses the vulnerability. Unfortunately, no patched version has been released by the vendor. As a temporary workaround, implement strict input validation on the file[] parameter in /filemanager.php to prevent path traversal attempts. This could involve whitelisting allowed file extensions and validating that the file path does not contain directory traversal sequences (e.g., ../). Consider using a Web Application Firewall (WAF) with rules to block requests containing suspicious path traversal patterns. Regularly monitor server logs for unusual file access attempts. After implementing these workarounds, verify their effectiveness by attempting to access files outside of the intended directory using crafted requests.
Update to a patched version of TinyFileManager. The vulnerability is a path traversal that allows a remote attacker to access arbitrary files on the server. Check the project page for information on patched versions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6496 is a vulnerability in TinyFileManager versions 2.0.0–2.6 that allows attackers to potentially read arbitrary files from the server by manipulating the file[] parameter. A public exploit exists, making it a serious risk.
You are affected if you are using TinyFileManager versions 2.0.0 through 2.6 and have not upgraded. The vulnerability is remotely exploitable and a public exploit is available.
Unfortunately, no patched version is currently available. Implement input validation on the file[] parameter, use a WAF, and monitor server logs as temporary workarounds.
Yes, the vulnerability is considered actively exploitable due to the public availability of a proof-of-concept exploit. Immediate action is recommended.
As of the publication date, no official advisory has been released by the TinyFileManager vendor. Monitor their website and security mailing lists for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.