CVE-2025-46002: 
PHP vulnerability analysis and mitigation

An issue in Filemanager v2.5.0 and below allows attackers to execute a directory traversal via sending a crafted HTTP request to the filemanager.php endpoint. The vulnerability was discovered and disclosed on July 18, 2025, and has been assigned identifier CVE-2025-46002. The vulnerability affects all versions of Filemanager up to and including version 2.5.0 (NVD).

The vulnerability is classified as a Relative Path Traversal (CWE-23) issue. The CVSS v3.1 base score is 6.5 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. This indicates that the vulnerability can be exploited remotely without requiring privileges or user interaction, and can lead to low-level impacts on confidentiality and integrity (NVD).

The vulnerability allows attackers to traverse directories on the affected system through crafted HTTP requests to the filemanager.php endpoint. This could potentially lead to unauthorized access to files outside the intended directory structure and exposure of sensitive information (NVD).

Users are advised to upgrade to a version newer than v2.5.0 when available. The project has been deprecated and users are recommended to switch to RichFileManager available at https://github.com/servocoder/RichFilemanager as a more secure alternative (GitHub Filemanager).