Description
File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "dir" parameter of the GET request to invoke arbitrary javascript code.
Published: 2026-03-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (client‑side code execution) via GET 'dir' parameter
Action: Mitigate
AI Analysis

Impact

File Thinghie version 2.5.7 contains a reflected Cross‑Site Scripting flaw that allows an attacker to inject and execute arbitrary JavaScript code in the victim’s browser. The missing input validation on the "dir" query parameter leads to script execution on page load, creating risks of session hijacking, cookie theft, defacement and further client‑side attacks that affect confidentiality, integrity and user experience.

Affected Systems

The vulnerability is confined to installations running the specific "leefish" File Thinghie product version 2.5.7. No other versions or related products are listed as affected.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS rate below 1% suggests a low probability of active exploitation at this time. The flaw is not present in CISA’s KEV catalog, implying no widely confirmed exploitation. The likely attack path requires a victim to visit a crafted URL containing malicious JavaScript in the "dir" parameter – for example via social‑engineering or phishing emails – to trigger reflected execution in their browser.

Generated by OpenCVE AI on April 2, 2026 at 05:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available File Thinghie version 2.5.8 or later that patches the XSS flaw.
  • If no patch is available, sanitize or encode the 'dir' parameter before reflecting it in the response, or reject the request if the value does not match a whitelist of allowed directory names.

Generated by OpenCVE AI on April 2, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS via GET 'dir' parameter in File Thinghie 2.5.7

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:leefish:file_thingie:2.5.7:*:*:*:*:*:*:*

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS via GET 'dir' parameter in File Thinghie 2.5.7

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Leefish
Leefish file Thingie
Vendors & Products Leefish
Leefish file Thingie

Fri, 20 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "dir" parameter of the GET request to invoke arbitrary javascript code.
References

Subscriptions

Leefish File Thingie
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T14:06:08.500Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30578

cve-icon Vulnrichment

Updated: 2026-03-23T14:05:56.491Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T18:16:13.203

Modified: 2026-04-01T19:00:07.353

Link: CVE-2026-30578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:36Z

Weaknesses