Security Advisory - Published 2026-06-15 - PHP File Manager

Responsive FileManager CVE-2026-5482: check exposed upload paths before trusting the site

CERT Polska lists Tecrail Responsive FileManager versions through 9.14.0 as affected. The reported issue is unrestricted upload of dangerous file types. Treat any public deployment as an incident candidate until the file manager is removed or isolated and upload directories are reviewed.

Defensive scope: use this page only for systems you own or have approval to review. It does not provide upload payloads, request samples, or unauthorized testing steps.

Who is affected

ProductTecrail Responsive FileManager
CVECVE-2026-5482
Affected versionsAll versions through 9.14.0, according to CERT Polska
Main riskUnrestricted file upload that can lead to code execution when dangerous file types are reachable
Patch postureThe project was reported as unmaintained at assignment time; removal or strict isolation is safer than waiting on a routine update.

Fast inventory

find . -maxdepth 5 -type d | egrep -i 'responsive.?filemanager|filemanager|file-manager'
find . -maxdepth 6 -type f | egrep -i 'responsive.?filemanager|filemanager|uploads|upload'
find . -type f -mtime -7 | egrep -i '\\.php$|\\.phtml$|\\.phar$|\\.shtml$|\\.js$|upload|filemanager'

On shared hosting, use the file manager in the control panel if shell access is not available. Record the folder path, last modified dates, and any recently changed files before deleting anything.

What to review

  • Public paths that expose a file manager, upload browser, connector, or admin-only media tool.
  • Upload directories containing PHP, PHTML, PHAR, SHTML, executable scripts, archive files, or files with double extensions.
  • Recently modified files under `uploads`, `tmp`, `cache`, `assets`, and application root directories.
  • Web server logs showing repeated access to the file manager or newly uploaded files.
  • Unexpected cron jobs, new admin users, changed `.htaccess`, changed Nginx rules, or unfamiliar include files.

Safe fix path

  1. Take a backup and preserve web access logs before cleanup.
  2. Remove Responsive FileManager from public web roots unless there is a vendor-supported fixed build.
  3. If the file manager must remain temporarily, restrict it to a VPN or admin-only network path and block script execution from upload directories.
  4. Delete unknown uploaded scripts only after recording filenames, timestamps, and owner/group metadata.
  5. Rotate application, database, FTP/SFTP, panel, and admin passwords if suspicious uploaded files were reachable.
  6. Retest the public site with normal browsing and confirm no upload directory executes scripts.

Repair help

Use Ping7 CVE Repair if the site contains unknown scripts, web shell indicators, changed `.htaccess` or Nginx rules, unfamiliar admin users, or upload paths you cannot safely assess. Ping7 handles defensive cleanup and a written repair report for owned systems.

References