CVE-2025-46651

Published: Feb 3, 2026

Modified: Feb 5, 2026

PUBLISHED

Description

Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain name. This may lead to unauthorized port scanning or access to internal-only services.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/prasathmani/tinyfilemanager/blob/master/tinyfilemanager.php#L608

https://github.com/RobertoLuzanilla/tinyfilemanager-security-advisories/blob/main/CVE-2025-46651.md

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-46651

Description

Affected Products

References