PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-37266 Responsive FileManager CVE debrief

A remote code execution vulnerability exists in Responsive FileManager version 9.14.0, specifically within the force_download.php component. The vulnerability allows a remote attacker to execute arbitrary code on affected systems. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, user interaction required, with high impact across confidentiality, integrity, and availability. The weakness is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program, 'PHP Remote File Inclusion'). The CVE was published on May 28, 2026 and modified later the same day. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV. Vendor attribution is currently uncertain with low confidence based on reference domain analysis.

Vendor
Responsive FileManager
Product
Responsive FileManager 9.14.0
CVSS
HIGH 8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations running Responsive FileManager 9.14.0 for web-based file management; security teams responsible for PHP application security; web hosting providers offering file manager services; developers maintaining legacy file management integrations.

Technical summary

The vulnerability resides in the force_download.php component of Responsive FileManager 9.14.0. The CWE-98 classification suggests improper control of filenames in include/require statements, potentially enabling PHP remote file inclusion. Successful exploitation requires low privileges and user interaction, but yields high impact across the CIA triad. Attack complexity is low with network accessibility.

Defensive priority

HIGH

Recommended defensive actions

  • Review and restrict access to force_download.php in Responsive FileManager 9.14.0 deployments
  • Apply vendor patches when available or consider upgrading to a non-vulnerable version
  • Implement network segmentation to limit exposure of file management interfaces
  • Monitor for anomalous requests to force_download.php and related file operation endpoints
  • Conduct code review of force_download.php for improper filename validation and remote file inclusion patterns
  • Review application logs for indicators of unauthorized file access or code execution attempts

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. CVSS 3.1 score of 8.0 (HIGH) with vector AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. Weakness identified as CWE-98. Vendor attribution marked as low confidence requiring review.

Official resources

2026-05-28T14:16:19.317Z