Description
File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the "create folder from url" functionality of the application to read arbitrary files on the target system.
Published: 2026-03-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Assess Impact
AI Analysis

Impact

File Thingie 2.5.7 contains a directory traversal flaw that allows a malicious user to read any file on the target system by abusing the "create folder from url" capability. The weakness is a classic directory traversal (CWE-22) that can expose sensitive configuration, credentials, or code. This vulnerability does not directly lead to code execution but can compromise confidentiality and potentially aid in further attacks if exposed files contain exploitable data.

Affected Systems

The flaw affects the version 2.5.7 of File Thingie, as identified by the vendor "leefish". No other product versions are noted as impacted in the available data.

Risk and Exploitability

With a CVSS score of 4.3 the risk is moderate, and the EPSS score is below 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. The likely attack vector is via the web interface that exposes the "create folder from url" feature, so an attacker would need access to the application, either through a normal user account or an unauthenticated session that permits the feature. This inference is based on the description of the feature and the nature of the flaw.

Generated by OpenCVE AI on April 2, 2026 at 03:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply any vendor patch or updated release for File Thingie 2.5.7.
  • If no patch is available, limit or disable the "create folder from url" function in the application configuration or via permission settings.
  • Restrict file system permissions so that the application runs with the least privileges necessary to avoid reading sensitive files.
  • Monitor application logs for attempts to use the vulnerable feature and investigate unusual file access patterns.

Generated by OpenCVE AI on April 2, 2026 at 03:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Directory Traversal via Create Folder from URL in File Thingie 2.5.7

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:leefish:file_thingie:2.5.7:*:*:*:*:*:*:*

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Title Directory Traversal via Create Folder from URL in File Thingie 2.5.7

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Leefish
Leefish file Thingie
Vendors & Products Leefish
Leefish file Thingie

Fri, 20 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the "create folder from url" functionality of the application to read arbitrary files on the target system.
References

Subscriptions

Leefish File Thingie
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T14:07:54.003Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30580

cve-icon Vulnrichment

Updated: 2026-03-23T14:07:37.222Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T18:16:13.433

Modified: 2026-04-01T19:01:34.523

Link: CVE-2026-30580

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:37Z

Weaknesses