CVE-2025-46001: simogeo/filemanager arbitrary file upload vulnerability

July 18, 2025 (updated July 23, 2025)

An arbitrary file upload vulnerability in the is_allowed_file_type() function of Filemanager v2.3.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.

References

github.com/advisories/GHSA-m5hw-rhvr-f47c
github.com/simogeo/Filemanager
github.com/zakumini/CVE-List/blob/main/CVE-2025-46001/CVE-2025-46001.md
nvd.nist.gov/vuln/detail/CVE-2025-46001
www.exploit-db.com/exploits/38895

Code Behaviors & Features

Detect and mitigate CVE-2025-46001 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →