CVE-2023-53942

Critical CVSS: 9.4

File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with a command parameter.

Vendor

Leefish

Product

File Thingie

CWE

CWE-434

Yayın Tarihi

2025-12-18 20:15:52

Güncelleme

2025-12-31 17:22:07

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-434 File Thingie CRITICAL Leefish 2025

Referanslar

https://github.com/leefish/filethingie https://www.exploit-db.com/exploits/51436 https://www.vulncheck.com/advisories/file-thingie-authenticated-arbitrary-file-upload-remote-code-execution https://www.exploit-db.com/exploits/51436

Benzer Kayıtlar

Medium

CVE-2026-30578

File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "dir" parameter of th…

Medium

CVE-2026-30579

File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "upload file" function…

Medium

CVE-2026-30580

File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the "create folder from url" func…