Skip to main content

CVE-2026-30579

| EUVDEUVD-2026-13734 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-20 mitre
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 20, 2026 - 17:30 euvd
EUVD-2026-13734
Analysis Generated
Mar 20, 2026 - 17:30 vuln.today
CVE Published
Mar 20, 2026 - 00:00 nvd
MEDIUM 6.5

DescriptionCVE.org

File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "upload file" functionality to upload a file with a crafted file name used to trigger a Javascript payload.

AnalysisAI

File Thingie version 2.5.7 contains a Stored Cross-Site Scripting (XSS) vulnerability in its file upload functionality where attackers can craft malicious filenames to execute arbitrary JavaScript in users' browsers. An attacker with the ability to upload files to a File Thingie instance can inject JavaScript payloads via filename manipulation, affecting any user who views the uploaded file list or file details. While no CVSS score, EPSS probability, or KEV inclusion status is currently available, proof-of-concept code has been published on GitHub, indicating the vulnerability is publicly disclosed and likely exploitable.

Technical ContextAI

File Thingie is a lightweight file sharing and management application. The vulnerability exists in the file upload handler, which fails to properly sanitize or encode user-supplied filenames before displaying them in the web interface. This represents a classic Stored XSS vulnerability where malicious input persists in the application's file system or database and is executed each time the filename is rendered to users. The root cause appears to be insufficient output encoding or input validation in the file naming mechanism, failing to escape special characters or HTML entities that could break out of HTML context and inject script tags.

RemediationAI

Immediately upgrade File Thingie to a patched version released after 2.5.7 if available from the official GitHub repository (https://github.com/leefish/filethingie). Until a patch is confirmed available, implement compensating controls by restricting file upload access to trusted users only, disabling file upload functionality if not essential, and implementing a Web Application Firewall (WAF) with strict filename validation rules that reject filenames containing special characters, HTML entities, or script-like patterns. Additionally, configure the web server to serve uploaded files with Content-Disposition: attachment headers to prevent in-browser script execution and enforce strong Content Security Policy (CSP) headers to mitigate JavaScript injection impact. Monitor the official GitHub repository and security advisories for patch releases.

Share

CVE-2026-30579 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy