Description
File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "upload file" functionality to upload a file with a crafted file name used to trigger a Javascript payload.
Published: 2026-03-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

File Thingie 2.5.7 allows a malicious user to inject arbitrary JavaScript by uploading a file whose name contains a payload. This stored cross‑site scripting flaw can execute in the browser of any visitor who views the uploaded file, enabling session hijacking, phishing, or defacement. The weakness is identified as CWE‑79.

Affected Systems

The vulnerable product is File Thingie from the vendor Leefish, specifically version 2.5.7. No other versions are mentioned as affected.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity, and the EPSS score is below 1 %, suggesting low current exploitation probability. The flaw is not listed in CISA’s KEV catalog. Attackers can trigger the XSS simply by accessing the upload page and supplying a crafted file name, so no privileged access is required. If the application is publicly reachable, every end‑user could be impacted by the injected code.

Generated by OpenCVE AI on April 2, 2026 at 03:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a newer version of File Thingie that removes the XSS vulnerability.
  • Implement server‑side validation on file names to escape special characters and strip scripts before storage.
  • Restrict the upload functionality to authenticated users and enforce least‑privilege access.
  • Monitor upload logs for abnormal file‑name patterns and block suspicious activity.

Generated by OpenCVE AI on April 2, 2026 at 03:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via Uploaded File Name in File Thingie 2.5.7

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:leefish:file_thingie:2.5.7:*:*:*:*:*:*:*

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via Uploaded File Name in File Thingie 2.5.7

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Leefish
Leefish file Thingie
Vendors & Products Leefish
Leefish file Thingie

Fri, 20 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "upload file" functionality to upload a file with a crafted file name used to trigger a Javascript payload.
References

Subscriptions

Leefish File Thingie
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T14:07:00.510Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30579

cve-icon Vulnrichment

Updated: 2026-03-23T14:06:57.676Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T18:16:13.323

Modified: 2026-04-01T19:01:22.010

Link: CVE-2026-30579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:35Z

Weaknesses