Which versions of PHP are affected by CVE-2019-25471?

FileThingie 2.5.7 contains a critical arbitrary file upload vulnerability (CVE-2019-25471) that allows attackers to upload and execute malicious files on affected servers.

Is there a public PoC exploit available for CVE-2019-25471?

Yes, a public proof-of-concept exploit is available for CVE-2019-25471. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2019-25471?

Within 24 hours: Identify all systems running FileThingie 2.5.7 and restrict network access to the ft2.php endpoint using firewall rules; disable the upload feature if operationally feasible. Within 7 days: Evaluate alternative file management solutions and plan migration timeline; implement WAF rules to block suspicious ZIP uploads to ft2.php. Within 30 days: Complete migration to a supported alternative product or fully decommission FileThingie; conduct forensic review of upload directories for indicators of compromise.

PHP CVE-2019-25471

Q: What is the CVSS score of CVE-2019-25471?

CVE-2019-25471 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

CRITICAL

Path Traversal (CWE-22)

2026-03-11 disclosure@vulncheck.com

PHP Path Traversal File Upload

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 13, 2026 - 14:37 NVD

9.8 (CRITICAL) 9.3 (CRITICAL)

Analysis Generated

Mar 12, 2026 - 22:07 vuln.today

PoC Detected

Mar 12, 2026 - 21:08 vuln.today

Public exploit code

CVE Published

Mar 11, 2026 - 19:16 nvd

CRITICAL 9.8

DescriptionNVD

FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, and execute arbitrary commands through the extracted PHP files.

AnalysisAI

Arbitrary file upload in FileThingie 2.5.7 via ZIP archives. PoC available.

Technical ContextAI

CWE-22.

RemediationAI

Update.

CVE-2019-25471 vulnerability details – vuln.today

Back

PHP CVE-2019-25471

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

PHP CVE-2019-25471

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code