{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-5482: Remote Code Execution via Unrestricted File Upload in Responsive FileManager","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-5482","status":"final","version":"1","initial_release_date":"2026-06-15T11:44:46.963Z","current_release_date":"2026-06-15T12:32:39.368Z","revision_history":[{"date":"2026-06-15T11:44:46.963Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. \n\nThis project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14.0","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-5482 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-5482"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-5482"},{"category":"external","summary":"cert.pl","url":"https://cert.pl/en/posts/2026/06/CVE-2026-5482"},{"category":"external","summary":"github.com","url":"https://github.com/trippo/ResponsiveFilemanager"}]},"product_tree":{"branches":[{"category":"vendor","name":"Tecrail","branches":[{"category":"product_name","name":"Responsive FileManager","branches":[{"category":"product_version_range","name":"<=9.14.0","product":{"name":"Tecrail Responsive FileManager <=9.14.0","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:tecrail:responsive_filemanager:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-5482","title":"Remote Code Execution via Unrestricted File Upload in Responsive FileManager","notes":[{"category":"description","text":"Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. \n\nThis project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14.0","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L","baseScore":9.3,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}