Skip to main content

CVE-2026-30578

| EUVDEUVD-2026-13732 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-20 mitre
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 20, 2026 - 17:30 euvd
EUVD-2026-13732
Analysis Generated
Mar 20, 2026 - 17:30 vuln.today
CVE Published
Mar 20, 2026 - 00:00 nvd
MEDIUM 6.5

DescriptionCVE.org

File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "dir" parameter of the GET request to invoke arbitrary javascript code.

AnalysisAI

File Thinghie version 2.5.7 contains a Reflected Cross-Site Scripting (XSS) vulnerability in the 'dir' GET parameter that allows attackers to execute arbitrary JavaScript code in users' browsers. An attacker can craft a malicious URL containing JavaScript payload in the 'dir' parameter and trick users into clicking it, resulting in session hijacking, credential theft, or malware distribution. While CVSS and EPSS scores are not available, proof-of-concept code exists in public repositories, indicating the vulnerability is well-documented and likely exploitable.

Technical ContextAI

File Thinghie is a lightweight file manager application written in PHP. The vulnerability stems from insufficient input validation and output encoding on the 'dir' parameter in GET requests, which likely reflects user-supplied input directly into HTML or JavaScript context without proper sanitization. This is a classic Reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where the application fails to neutralize potentially malicious user input before rendering it in the HTTP response. The affected component processes directory navigation requests via the 'dir' parameter without implementing proper contextual encoding or Content Security Policy (CSP) headers to prevent script execution.

RemediationAI

Immediately upgrade File Thinghie to the latest available version beyond 2.5.7 if a patch has been released by the maintainers at https://github.com/leefish/filethingie. If no patched version is available, implement input validation by strictly whitelisting allowed directory paths and rejecting any 'dir' parameter values that deviate from expected patterns, then add output encoding using context-appropriate methods (HTML entity encoding for HTML context, JavaScript encoding for script context). Additionally, deploy HTTP security headers including Content-Security-Policy (CSP) to restrict script execution to trusted sources only, implement HTTPOnly and Secure flags on session cookies to mitigate session hijacking, and consider deploying a Web Application Firewall (WAF) with XSS filtering rules to detect and block malicious payloads in GET parameters until patching is completed.

Share

CVE-2026-30578 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy