How is CVE-2026-5482 exploited?

Network reachability (required): The attacker must reach the application's dialog.php endpoint over the network; no prior foothold on the host is needed. Authentication (not-required): No account or session credential of any privilege level is required to trigger the upload. Victim interaction (not-required): The attack is fully server-side; no user needs to click a link, open a file, or take any action. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions, memory-layout dependencies, or environmental factors to overcome.

What is the impact of CVE-2026-5482?

The attacker uploads and executes arbitrary server-side code, gaining a remote shell on the host running Responsive FileManager. With code execution established, the attacker reads any file accessible to the web server process, including application secrets, credentials, and stored user data. The attacker modifies or deletes files on the server, including application code, configuration files, and persisted data. Secondary systems reachable from the compromised host are exposed to lateral movement, reflected in the low-severity impact scores on scope components in the CVSS vector.

Back to search

CRITICALCVE-2026-5482Published 2026-06-15Modified 2026-06-15CNA CERT-PL

CVE-2026-5482: Remote Code Execution via Unrestricted File Upload in Responsive FileManager

Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14.0

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unrestricted file upload vulnerability in Responsive FileManager (versions up to and including 9.14.0) allows any unauthenticated attacker to upload arbitrary files, including server-side scripts, through the dialog.php endpoint. The attack is reachable over the network and requires no credentials or user interaction. Successful exploitation gives the attacker remote code execution on the host running the application. No fix version has been published; the project is unmaintained, and HarborGuard tracks the advisory for any future patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-5482 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle Responsive FileManager. Coverage is not limited to official base images; any image layer carrying the affected package is flagged.

Available

Triage

Triage is available with the CVSS v4.0 score of 9.3 (Critical) applied automatically, weighted further by each customer organization's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

Because no upstream fix has been published and the project is unmaintained, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, customers can apply compensating controls through HarborGuard's network-policy isolation and egress-filtering recommendations surfaced in the finding detail.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the application's dialog.php endpoint over the network; no prior foothold on the host is needed.
AuthenticationNot required
No account or session credential of any privilege level is required to trigger the upload.
Victim interactionNot required
The attack is fully server-side; no user needs to click a link, open a file, or take any action.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions, memory-layout dependencies, or environmental factors to overcome.

Blast Radius

The attacker uploads and executes arbitrary server-side code, gaining a remote shell on the host running Responsive FileManager.
With code execution established, the attacker reads any file accessible to the web server process, including application secrets, credentials, and stored user data.
The attacker modifies or deletes files on the server, including application code, configuration files, and persisted data.
Secondary systems reachable from the compromised host are exposed to lateral movement, reflected in the low-severity impact scores on scope components in the CVSS vector.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-5482 activates immediately upon image scan, flagging any image that includes Responsive FileManager 9.14.0 or earlier at Critical severity. Because no upstream patch exists and the project is unmaintained, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically if an upstream fix ever ships. Until then, customers are advised to use HarborGuard's network-policy isolation recommendations to restrict inbound access to the dialog.php endpoint at the container-networking layer, apply egress filtering to limit outbound connections from the affected workload, and consider feature-flag or ingress-rule gating to disable the file upload functionality entirely if it is not required. For customers who opt into auto-remediation, a rebuild and regression run will be triggered and a PR opened against affected workloads as soon as a fix version becomes available upstream.

See how HarborGuard automates this

Affected packages

Tecrail / Responsive FileManager
≤ 9.14.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

References

Metrics

Get notified