Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "upload file" functionality to upload a file with a crafted file name used to trigger a Javascript payload.
AnalysisAI
File Thingie version 2.5.7 contains a Stored Cross-Site Scripting (XSS) vulnerability in its file upload functionality where attackers can craft malicious filenames to execute arbitrary JavaScript in users' browsers. An attacker with the ability to upload files to a File Thingie instance can inject JavaScript payloads via filename manipulation, affecting any user who views the uploaded file list or file details. While no CVSS score, EPSS probability, or KEV inclusion status is currently available, proof-of-concept code has been published on GitHub, indicating the vulnerability is publicly disclosed and likely exploitable.
Technical ContextAI
File Thingie is a lightweight file sharing and management application. The vulnerability exists in the file upload handler, which fails to properly sanitize or encode user-supplied filenames before displaying them in the web interface. This represents a classic Stored XSS vulnerability where malicious input persists in the application's file system or database and is executed each time the filename is rendered to users. The root cause appears to be insufficient output encoding or input validation in the file naming mechanism, failing to escape special characters or HTML entities that could break out of HTML context and inject script tags.
RemediationAI
Immediately upgrade File Thingie to a patched version released after 2.5.7 if available from the official GitHub repository (https://github.com/leefish/filethingie). Until a patch is confirmed available, implement compensating controls by restricting file upload access to trusted users only, disabling file upload functionality if not essential, and implementing a Web Application Firewall (WAF) with strict filename validation rules that reject filenames containing special characters, HTML entities, or script-like patterns. Additionally, configure the web server to serve uploaded files with Content-Disposition: attachment headers to prevent in-browser script execution and enforce strong Content Security Policy (CSP) headers to mitigate JavaScript injection impact. Monitor the official GitHub repository and security advisories for patch releases.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13734