CVE-2021-40965

8.8 HIGH

A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers t...

Published: 2021-09-15 · Last updated: 2026-06-17

Severity and scoring

CVSS: 8.8 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352

Affected products

Vendor	Product
prasathmani	tiny_file_manager

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.

Source: NVD

References

Related CVEs

Same vendor

CVE-2021-40966 — A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that... (5.4 MEDIUM)
CVE-2021-40964 — A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (wi... (6.5 MEDIUM)

Same CWE

CVE-2026-49043 — Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions (4.7 MEDIUM)
CVE-2026-48518 — MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances (4.3 MEDIUM)
CVE-2016-20083 — WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized action... (5.3 MEDIUM)
CVE-2016-20074 — WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorize... (4.3 MEDIUM)
CVE-2016-20067 — WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on beh... (4.3 MEDIUM)