Security Advisory - Published 2026-06-15 - PHP File Manager
Responsive FileManager CVE-2026-5482: check exposed upload paths before trusting the site
CERT Polska lists Tecrail Responsive FileManager versions through 9.14.0 as affected. The reported issue is unrestricted upload of dangerous file types. Treat any public deployment as an incident candidate until the file manager is removed or isolated and upload directories are reviewed.
Who is affected
| Product | Tecrail Responsive FileManager |
|---|---|
| CVE | CVE-2026-5482 |
| Affected versions | All versions through 9.14.0, according to CERT Polska |
| Main risk | Unrestricted file upload that can lead to code execution when dangerous file types are reachable |
| Patch posture | The project was reported as unmaintained at assignment time; removal or strict isolation is safer than waiting on a routine update. |
Fast inventory
find . -maxdepth 5 -type d | egrep -i 'responsive.?filemanager|filemanager|file-manager'
find . -maxdepth 6 -type f | egrep -i 'responsive.?filemanager|filemanager|uploads|upload'
find . -type f -mtime -7 | egrep -i '\\.php$|\\.phtml$|\\.phar$|\\.shtml$|\\.js$|upload|filemanager' On shared hosting, use the file manager in the control panel if shell access is not available. Record the folder path, last modified dates, and any recently changed files before deleting anything.
What to review
- Public paths that expose a file manager, upload browser, connector, or admin-only media tool.
- Upload directories containing PHP, PHTML, PHAR, SHTML, executable scripts, archive files, or files with double extensions.
- Recently modified files under `uploads`, `tmp`, `cache`, `assets`, and application root directories.
- Web server logs showing repeated access to the file manager or newly uploaded files.
- Unexpected cron jobs, new admin users, changed `.htaccess`, changed Nginx rules, or unfamiliar include files.
Safe fix path
- Take a backup and preserve web access logs before cleanup.
- Remove Responsive FileManager from public web roots unless there is a vendor-supported fixed build.
- If the file manager must remain temporarily, restrict it to a VPN or admin-only network path and block script execution from upload directories.
- Delete unknown uploaded scripts only after recording filenames, timestamps, and owner/group metadata.
- Rotate application, database, FTP/SFTP, panel, and admin passwords if suspicious uploaded files were reachable.
- Retest the public site with normal browsing and confirm no upload directory executes scripts.
Repair help
Use Ping7 CVE Repair if the site contains unknown scripts, web shell indicators, changed `.htaccess` or Nginx rules, unfamiliar admin users, or upload paths you cannot safely assess. Ping7 handles defensive cleanup and a written repair report for owned systems.