CVE-2019-25673

HighPublic PoC

Published: 05 April 2026

Published

05 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0008 22.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25673 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 22.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly enforces validation of uploaded files to reject dangerous types like PHP, preventing arbitrary file upload and subsequent code execution.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of flaws like CVE-2019-25673 in vulnerable components such as UniSharp Laravel File Manager.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code protection at upload endpoints to scan and block PHP shells or other executable malicious files before storage and execution.

NVD Description

UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set…

to Files and execute arbitrary code by accessing the uploaded file through the working directory path.

Deeper analysisAI

CVE-2019-25673 is an arbitrary file upload vulnerability affecting UniSharp Laravel File Manager versions v2.0.0-alpha7 and v2.0. The flaw allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint, specifically PHP files with the type parameter set to Files. Once uploaded, attackers can execute arbitrary code by accessing the file through the working directory path. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

The attack requires low-privilege authenticated access (PR:L) over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploiting it enables remote code execution, granting high-impact confidentiality, integrity, and availability compromises (C:H/I:H/A:H) on the affected system.

Mitigation details are available in referenced advisories, including the GitHub repository at https://github.com/UniSharp/laravel-filemanager, issue tracker at https://github.com/UniSharp/laravel-filemanager/issues/356, an Exploit-DB entry at https://www.exploit-db.com/exploits/46389, and a Vulncheck advisory at https://www.vulncheck.com/advisories/unisharp-laravel-file-manager-alpha7-arbitrary-file-upload.

Details

CWE(s): CWE-434

CVEs Like This One

CVE-2021-35485Shared CWE-434

CVE-2020-36942Shared CWE-434

CVE-2025-34299Shared CWE-434

CVE-2025-26411Shared CWE-434

CVE-2024-57169Shared CWE-434

CVE-2023-53933Shared CWE-434

CVE-2025-68909Shared CWE-434

CVE-2021-47757Shared CWE-434

CVE-2025-68986Shared CWE-434

CVE-2025-56704Shared CWE-434

References

https://github.com/UniSharp/laravel-filemanager
disclosure@vulncheck.com
https://github.com/UniSharp/laravel-filemanager/issues/356
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46389
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/unisharp-laravel-file-manager-alpha7-arbitrary-file-upload
disclosure@vulncheck.com