{"api_version":"1","generated_at":"2026-04-26T22:42:51+00:00","cve":"CVE-2021-40965","urls":{"html":"https://cve.report/CVE-2021-40965","api":"https://cve.report/api/cve/CVE-2021-40965.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-40965","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-40965"},"summary":{"title":"CVE-2021-40965","description":"A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-09-15 18:15:00","updated_at":"2021-09-27 18:32:00"},"problem_types":["CWE-352"],"metrics":[],"references":[{"url":"https://github.com/prasathmani/tinyfilemanager","name":"https://github.com/prasathmani/tinyfilemanager","refsource":"MISC","tags":[],"title":"GitHub - prasathmani/tinyfilemanager: The best web based PHP File Manager in single file, Manage your files efficiently and easily with tinyfilemanager","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528","name":"https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528","refsource":"MISC","tags":[],"title":"TinyFileManager Vulnerabilities · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-40965","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40965","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"40965","vulnerable":"1","versionEndIncluding":"2.4.6","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"tinyfilemanager_project","cpe5":"tinyfilemanager","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-40965","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/prasathmani/tinyfilemanager","refsource":"MISC","name":"https://github.com/prasathmani/tinyfilemanager"},{"refsource":"MISC","name":"https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528","url":"https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"}]}},"nvd":{"publishedDate":"2021-09-15 18:15:00","lastModifiedDate":"2021-09-27 18:32:00","problem_types":["CWE-352"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":9.3},"severity":"HIGH","exploitabilityScore":8.6,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:tinyfilemanager_project:tinyfilemanager:*:*:*:*:*:*:*:*","versionEndIncluding":"2.4.6","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"40965","Ordinal":"216736","Title":"CVE-2021-40965","CVE":"CVE-2021-40965","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"40965","Ordinal":"1","NoteData":"A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"40965","Ordinal":"2","NoteData":"2021-09-15","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"40965","Ordinal":"3","NoteData":"2021-09-15","Type":"Other","Title":"Modified"}]}}}