Description
FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, and execute arbitrary commands through the extracted PHP files.
Published: 2026-03-11
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch ASAP
AI Analysis

Impact

FileThingie version 2.5.7 allows an attacker to upload a ZIP archive through the ft2.php endpoint. The archive may contain PHP code, which is extracted into a web-accessible directory and can be executed. This arbitrary file upload flaw (CWE-22) can lead to unauthorized code execution, compromising the confidentiality, integrity, and availability of the system.

Affected Systems

The impact covers installations of FileThingie 2.5.7 that expose the ft2.php upload endpoint and enable ZIP extraction. Any deployment running this version is vulnerable, regardless of their server configuration.

Risk and Exploitability

The CVSS score of 9.3 indicates high severity, while the EPSS score is below 1% and the vulnerability does not appear in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP POST to the ft2.php endpoint, as inferred from the description. An attacker needs only the ability to send HTTP requests to the vulnerable endpoint; no authentication or elevated privileges are required. If the malicious PHP shell is successfully uploaded and executed, the attacker gains unrestricted code execution on the host.

Generated by OpenCVE AI on April 13, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed version of FileThingie and ensure it is not 2.5.7.
  • Apply any available vendor patch or upgrade to a non‑vulnerable release.
  • If immediate upgrade is not possible, restrict external access to the ft2.php endpoint or place it behind a firewall.
  • Configure the web server to deny execution of files in the upload directory.
  • Monitor web server logs for unexpected upload activity and block offending IP addresses.

Generated by OpenCVE AI on April 13, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Leefish
Leefish file Thingie
CPEs cpe:2.3:a:leefish:file_thingie:*:*:*:*:*:*:*:*
Vendors & Products Leefish
Leefish file Thingie

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Filethingie
Filethingie filethingie
Vendors & Products Filethingie
Filethingie filethingie

Wed, 11 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, and execute arbitrary commands through the extracted PHP files.
Title FileThingie 2.5.7 Arbitrary File Upload via ft2.php
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Filethingie Filethingie
Leefish File Thingie
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:04:29.169Z

Reserved: 2026-02-22T14:42:56.354Z

Link: CVE-2019-25471

cve-icon Vulnrichment

Updated: 2026-03-11T19:22:54.494Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T19:16:00.803

Modified: 2026-04-13T14:25:16.107

Link: CVE-2019-25471

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:43:54Z

Weaknesses