CVE-2026-30579
Cross-Site Scripting in File Thingie 2.5.7 Upload Function
Publication date: 2026-03-20
Last updated on: 2026-04-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| leefish | file_thingie | 2.5.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-30579 is a Cross Site Scripting (XSS) vulnerability affecting FileThingie version 2.5.7. It occurs through the "upload file" functionality, where a malicious user can upload a file with a specially crafted file name containing a JavaScript payload. When this file name is processed by the application, the JavaScript payload can be executed, leading to an XSS attack.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including high confidentiality and integrity loss. An attacker can remotely execute malicious scripts in the context of the affected application, potentially stealing sensitive information, manipulating data, or performing actions on behalf of legitimate users. The attack requires low privileges and user interaction, and it has a low impact on availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the "upload file" functionality of FileThingie version 2.5.7 for the ability to upload files with specially crafted file names containing JavaScript payloads.'}, {'type': 'paragraph', 'content': "One approach is to attempt uploading a file with a filename that includes typical XSS payloads such as <script>alert('XSS')</script> and then observe if the payload executes when the file name is rendered in the application."}, {'type': 'paragraph', 'content': 'Since this is a web application vulnerability, network detection commands are not directly applicable, but you can use web application testing tools or scripts to automate this process.'}, {'type': 'paragraph', 'content': 'For manual testing, you might use curl or wget to upload files with crafted names if the upload endpoint is accessible via HTTP requests.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or sanitizing file names during the upload process to prevent JavaScript or other executable code from being embedded.
Implement input validation and output encoding to neutralize any malicious payloads in file names.
If possible, upgrade or patch FileThingie to a version where this vulnerability is fixed.
Limit user privileges to reduce the risk of exploitation, as the vulnerability requires low privileges but user interaction.