How is CVE-2026-37266 exploited?

Network reachability (required): The attacker must reach the vulnerable service over the network; no local or physical access is needed. Authentication (required): The attacker must hold a valid low-privilege account on the application; unauthenticated access is not sufficient. Victim interaction (required): A victim user must perform some action (such as following a crafted link or triggering a download) to complete exploitation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental factors.

What is the impact of CVE-2026-37266?

An attacker achieves remote code execution on the host running Responsive FileManager, gaining the ability to run arbitrary commands. Confidential data stored on the server, including files managed by the application, is fully readable by the attacker. The attacker can modify or delete any files and data the application process has access to. The attacker can crash or otherwise disable the affected service, causing a denial of service for users.

Back to search

HIGHCVE-2026-37266Published 2026-05-28Modified 2026-05-28CNA mitre

CVE-2026-37266: An issue in Responsive File Manager Responsive FileManager Version 9

An issue in Responsive File Manager Responsive FileManager Version 9.14.0 allows a remote attacker to execute arbitrary code via the force_download.php component

HarborGuard Analysis

HarborGuard analysis

Synopsis

Remote code execution vulnerability in Responsive FileManager version 9.14.0 is reachable over the network by any authenticated user with low-privilege access, and requires a victim to take some action to trigger it. Successful exploitation gives an attacker full control over the affected system, including reading, modifying, and destroying data or crashing the service. The vulnerability exists in the force_download.php component. HarborGuard tracks this advisory for patch availability, as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that include Responsive FileManager.

Available

Triage

Triage is available using the CVSS v3.1 base score of 8.0 (HIGH), weighted against each customer organization's compliance policy to determine priority and routing. Findings are routed to the appropriate inbox within each customer org based on configured escalation rules.

Available

Patch

Because no fix version has been published for this CVE, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the interim, customers can use HarborGuard policy controls to flag or block images containing the affected component.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the vulnerable service over the network; no local or physical access is needed.
AuthenticationRequired
The attacker must hold a valid low-privilege account on the application; unauthenticated access is not sufficient.
Victim interactionRequired
A victim user must perform some action (such as following a crafted link or triggering a download) to complete exploitation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental factors.

Blast Radius

An attacker achieves remote code execution on the host running Responsive FileManager, gaining the ability to run arbitrary commands.
Confidential data stored on the server, including files managed by the application, is fully readable by the attacker.
The attacker can modify or delete any files and data the application process has access to.
The attacker can crash or otherwise disable the affected service, causing a denial of service for users.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-37266, HarborGuard continuously re-checks the advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is released. Until then, customers can apply compensating controls through HarborGuard policy, including flagging or blocking any image containing the affected force_download.php component, applying network-policy isolation to restrict access to the file manager service, and using feature-flag or ingress gating to limit which users can reach the vulnerable endpoint. For customers with auto-remediation enabled, a rebuild and regression run will be triggered automatically once an upstream fix is published, with a PR opened against affected workloads. HarborGuard will continue monitoring this advisory and will notify affected environments as soon as a patch becomes available.

See how HarborGuard automates this

CVSS v3.1: 8.0
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References