CVE-2026-37266 - Vulnerability Details

An issue in Responsive File Manager Responsive FileManager Version 9.14.0 allows a remote attacker to execute arbitrary code via the force_download.php component

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Responsivefilemanager	Responsivefilemanager

No data.

References

Link	Providers
https://csacyber.com/blog/responsive-filemanager-version-9-14-0-multiple-vulnerabilities-cve-2026-37266
https://www.responsivefilemanager.com/

History

Thu, 28 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Title	Remote Code Execution via force_download.php in Responsive File Manager 9.14.0
Weaknesses	CWE‑94

Thu, 28 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Responsivefilemanager Responsivefilemanager responsivefilemanager
Vendors & Products		Responsivefilemanager Responsivefilemanager responsivefilemanager

Thu, 28 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Title		Remote Code Execution via force_download.php in Responsive File Manager 9.14.0
Weaknesses		CWE-98 CWE‑94
Metrics		cvssV3_1 `{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		An issue in Responsive File Manager Responsive FileManager Version 9.14.0 allows a remote attacker to execute arbitrary code via the force_download.php component
References		https://csacyber.com/blog/responsive-filemanager-version-9-14-0-multiple-vulnerabilities-cve-2026-37266 https://www.responsivefilemanager.com/

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-28T00:00:00.000Z

Updated: 2026-05-28T15:56:58.819Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37266

Vulnrichment

Updated: 2026-05-28T15:56:41.136Z

NVD

Status : Deferred

Published: 2026-05-28T14:16:19.317

Modified: 2026-05-29T16:32:14.400

Link: CVE-2026-37266

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object