CVE-2025-56399 – Alexusmai Laravel-FileManager RCE

CVE ID : CVE-2025-56399

Published : Oct. 28, 2025, 4:15 p.m. | 29 minutes ago

Description : alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a ‘.png` extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to `.php`, and upon accessing it via a public URL, the server executes the embedded code.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…