CVE-2026-37266
Responsive File Manager version 9.14.0 contains a remote code execution vulnerability in its force_download.php component. An authenticated attacker can exploit this flaw to execute arbitrary code on the server, potentially gaining full control of the application and underlying system. The vulnerability requires an attacker to have valid login credentials and user interaction (such as clicking a malicious link), but poses a significant risk in multi-user or publicly accessible deployments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.0 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-98
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
An issue in Responsive File Manager Responsive FileManager Version 9.14.0 allows a remote attacker to execute arbitrary code via the force_download.php component
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-37266 is a code injection vulnerability (CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program) within the force_download.php file of Responsive File Manager 9.14.0. The vulnerability allows an authenticated, low-privileged user to inject and execute arbitrary PHP code through insufficient input validation or improper sanitization of file handling parameters. The network-accessible nature of the component, combined with low attack complexity and lack of special privileges required beyond standard user authentication, creates a direct path to remote code execution with high impact on confidentiality, integrity, and availability.
Business impact
Exploitation of this vulnerability could result in complete compromise of the Responsive File Manager instance and potentially the host server. Attackers could access sensitive files, modify or delete data, plant backdoors for persistent access, or use compromised infrastructure for lateral movement within the network. Organizations relying on Responsive File Manager for document management, content distribution, or file hosting face data breach, service disruption, and reputational damage. The requirement for authentication narrows the immediate threat surface, but compromised or social-engineered user credentials make this a realistic attack vector.
Affected systems
Responsive File Manager version 9.14.0 is confirmed vulnerable. Organizations running this version in production should be prioritized for assessment and patching. Verify whether your deployment includes the force_download.php component and is accessible to authenticated users. Earlier and later versions should be evaluated against vendor advisories to confirm patch status and safe versions.
Exploitability
While the vulnerability requires valid authentication credentials, the low attack complexity and reliance on user interaction (rather than complex exploitation techniques) make it moderately exploitable in real-world scenarios. Compromised accounts, weak password practices, or social engineering could facilitate attacker access. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but this does not guarantee active exploitation has not occurred or will not occur. Security teams should monitor threat intelligence for any emerging proof-of-concept or public exploit code.
Remediation
Immediate action: Update Responsive File Manager to a patched version released after the vulnerability discovery. Consult the official vendor advisory and release notes to confirm a safe version. As an interim measure pending patches, restrict access to Responsive File Manager to trusted users and networks, implement network segmentation, and enforce strong authentication (multi-factor authentication where possible). Review access logs for suspicious activity involving force_download.php or unexpected file operations.
Patch guidance
Contact the Responsive File Manager vendor or review their official security advisories for confirmed patched versions. Do not deploy untested patches in production without validation in a staging environment first. Verify that the patched version specifically addresses CWE-98 in the force_download.php component. After patching, restart the application and confirm normal operation of file download and management functions before re-enabling production traffic.
Detection guidance
Monitor server logs for unusual requests to force_download.php, particularly those with anomalous parameters, encoded payloads, or repeated failed attempts. Web application firewalls (WAF) should be configured to detect PHP code injection patterns and suspicious file inclusion attempts. Implement file integrity monitoring on the Responsive File Manager directory to detect unauthorized code modifications. Hunt for evidence of exploitation in PHP error logs, web server access logs, and system command execution records (e.g., process execution from web server user context).
Why prioritize this
This vulnerability merits urgent attention due to its HIGH CVSS score (8.0), direct remote code execution impact, and presence in a widely-used file management tool. While authentication is required, the low attack complexity and widespread deployment of Responsive File Manager mean that patching should be prioritized within the next 30 days. Organizations should treat this as higher priority than vulnerabilities requiring more complex exploitation chains or special privileges.
Risk score, explained
The CVSS 3.1 score of 8.0 (HIGH) reflects high impact across confidentiality, integrity, and availability, combined with network accessibility and low attack complexity. The authentication requirement and need for user interaction lower the score from critical, but remote code execution always carries severe risk. The CWE-98 classification (improper control of include/require statements) is a known attack vector in PHP applications and should be treated with corresponding concern in security planning.
Frequently asked questions
Do we need to be running Responsive File Manager version 9.14.0 to be vulnerable?
Yes, CVE-2026-37266 specifically affects version 9.14.0. However, you should verify with the vendor whether earlier versions or other versions are also affected, as vulnerability disclosures sometimes apply to a range of versions. Check the official security advisory for the complete list of affected and unaffected versions.
Can this vulnerability be exploited without a user account?
No. The CVSS vector indicates this requires PR:L (low privilege level), meaning the attacker must have valid authentication credentials. However, 'low privilege' typically means a standard user account—not administrative access. Compromised user credentials via phishing, password reuse, or other means could enable exploitation.
What should we do if we can't patch immediately?
Implement compensating controls: restrict network access to the Responsive File Manager to trusted IP ranges or VPN-only access, enforce multi-factor authentication, monitor logs for suspicious force_download.php requests, and regularly audit user access to the application. Work with your vendor to obtain a timeline for patches and plan a controlled deployment in a test environment before production rollout.
Is there public exploit code available for this vulnerability?
As of the vulnerability publication date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, this does not guarantee that exploit code does not exist or will not be released. Monitor threat intelligence feeds and the vendor's official channels for updates. If you discover evidence of exploitation attempts, isolate affected systems and escalate to incident response.
This analysis is provided for informational and defensive security purposes. The details and recommendations are based on publicly available vulnerability data current as of the publication date. Organizations should verify all patch versions, affected systems, and remediation steps directly against official vendor advisories before taking action. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and assumes no liability for decisions made based on this content. Always validate findings in your own environment and consult with your security team and vendor support for organization-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Browse
Related vulnerabilities
- CVE-2025-53440HIGH
CVE-2025-53440: Axiomthemes Confidant PHP Local File Inclusion (LFI) Vulnerability – CVSS 8.1 HIGH
- CVE-2025-58024HIGH
CVE-2025-58024: UnboundStudio Accordion FAQ Local File Inclusion Vulnerability – CVSS 7.5 HIGH
- CVE-2025-58705HIGH
CVE-2025-58705: Crafti PHP Local File Inclusion (LFI) Vulnerability – Patch Guide
- CVE-2025-58707HIGH
CVE-2025-58707: PHP Local File Inclusion in Axiomthemes Spin 1.8
- CVE-2025-58897HIGH
CVE-2025-58897: Axiomthemes Fermentio PHP Local File Inclusion Vulnerability (CVSS 8.1)
- CVE-2025-68886HIGH
CVE-2025-68886: androThemes Cookiteer PHP Local File Inclusion Vulnerability – CVSS 8.1
- CVE-2025-69369HIGH
CVE-2025-69369: Axiomthemes Racquet File Inclusion Vulnerability (CVSS 8.1)
- CVE-2026-39552HIGH
CVE-2026-39552: PHP Local File Inclusion in Code Supply Co. Blueprint – Patch Guidance