MidnightBSD

Advisories for leefish

CVE-2023-53942

File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with a command parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
leefish file_thingie 2.5.7
CVE-2026-30578

File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "dir" parameter of the GET request to invoke arbitrary javascript code.

Products Affected

Vendor Product Version
leefish file_thingie 2.5.7
CVE-2026-30579

File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "upload file" functionality to upload a file with a crafted file name used to trigger a Javascript payload.

Products Affected

Vendor Product Version
leefish file_thingie 2.5.7
CVE-2026-30580

File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the "create folder from url" functionality of the application to read arbitrary files on the target system.

Products Affected

Vendor Product Version
leefish file_thingie 2.5.7