Leefish: >> File Thingie Security Vulnerabilities
File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "dir" parameter of the GET request to invoke arbitrary javascript code.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-03-20
File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "upload file" functionality to upload a file with a crafted file name used to trigger a Javascript payload.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-03-20
File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the "create folder from url" functionality of the application to read arbitrary files on the target system.
CVSS Score
4.3
EPSS Score
0.001
Published
2026-03-20
File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with a command parameter.
CVSS Score
8.8
EPSS Score
0.002
Published
2025-12-18