CVE-2025-46001: 
PHP vulnerability analysis and mitigation

An arbitrary file upload vulnerability was discovered in the is_allowed_file_type() function of Filemanager v2.3.0. The vulnerability (CVE-2025-46001) was disclosed on July 18, 2025, affecting the Filemanager application developed by Simogeo. This vulnerability allows attackers to execute arbitrary code by uploading a crafted PHP file (NVD).

The vulnerability exists in the is_allowed_file_type() function of Filemanager v2.3.0 which fails to properly validate uploaded file types. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD, CISA).

The vulnerability allows remote attackers to execute arbitrary code on the affected system by uploading maliciously crafted PHP files. This could lead to complete system compromise, allowing attackers to gain full control over the affected server (NVD).

Users are advised to upgrade to RichFileManager, which is the successor to Filemanager, as the original package is now deprecated. The project maintainers have officially marked Filemanager as deprecated and recommend using RichFileManager available at https://github.com/servocoder/RichFilemanager (GitHub Filemanager).