Skip to main content

CVE-2026-30580

| EUVDEUVD-2026-13742 MEDIUM
Path Traversal (CWE-22)
2026-03-20 mitre
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 20, 2026 - 17:45 euvd
EUVD-2026-13742
Analysis Generated
Mar 20, 2026 - 17:45 vuln.today
CVE Published
Mar 20, 2026 - 00:00 nvd
MEDIUM 4.3

DescriptionCVE.org

File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the "create folder from url" functionality of the application to read arbitrary files on the target system.

AnalysisAI

File Thingie version 2.5.7 contains a directory traversal vulnerability in its 'create folder from URL' functionality that allows unauthenticated attackers to read arbitrary files from the target system. An attacker can exploit this path traversal flaw by crafting malicious input to the folder creation feature, bypassing directory restrictions and accessing sensitive files outside the intended application directory. Proof-of-concept code is available in public repositories, and while CVSS and EPSS scores are not published, the vulnerability enables direct unauthorized information disclosure.

Technical ContextAI

The vulnerability exists in File Thingie, a file management web application, and stems from improper input validation in the 'create folder from URL' feature. The root cause is classified as CWE Path Traversal (CWE-22), where user-supplied path components are not adequately sanitized before being used in file system operations. When the application processes folder creation requests, it fails to canonicalize and validate file paths, allowing attackers to use path traversal sequences (such as '../' or URL-encoded variants) to navigate outside the intended base directory. The CPE for affected products indicates File Thingie (vendor/product identifiers pending clarification in MITRE records), though the specific affected version range has been confirmed as 2.5.7 and potentially earlier releases.

RemediationAI

Immediately upgrade File Thingie to the latest available version beyond 2.5.7; consult the official repository at https://github.com/leefish/filethingie for the most recent stable release and security patches. If an immediate upgrade is not feasible, implement network-level access controls to restrict the 'create folder from URL' endpoint to trusted IP ranges only, and consider disabling this feature entirely if it is not critical to operations. Additionally, review recent access logs for any suspicious requests targeting path traversal sequences (../, ..\, %2e%2e%2f) directed at the folder creation endpoint, and audit the file system for any unauthorized access or data exfiltration. Monitor the vendor repository and security advisories for official guidance on patched versions.

Share

CVE-2026-30580 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy