Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the "create folder from url" functionality of the application to read arbitrary files on the target system.
AnalysisAI
File Thingie version 2.5.7 contains a directory traversal vulnerability in its 'create folder from URL' functionality that allows unauthenticated attackers to read arbitrary files from the target system. An attacker can exploit this path traversal flaw by crafting malicious input to the folder creation feature, bypassing directory restrictions and accessing sensitive files outside the intended application directory. Proof-of-concept code is available in public repositories, and while CVSS and EPSS scores are not published, the vulnerability enables direct unauthorized information disclosure.
Technical ContextAI
The vulnerability exists in File Thingie, a file management web application, and stems from improper input validation in the 'create folder from URL' feature. The root cause is classified as CWE Path Traversal (CWE-22), where user-supplied path components are not adequately sanitized before being used in file system operations. When the application processes folder creation requests, it fails to canonicalize and validate file paths, allowing attackers to use path traversal sequences (such as '../' or URL-encoded variants) to navigate outside the intended base directory. The CPE for affected products indicates File Thingie (vendor/product identifiers pending clarification in MITRE records), though the specific affected version range has been confirmed as 2.5.7 and potentially earlier releases.
RemediationAI
Immediately upgrade File Thingie to the latest available version beyond 2.5.7; consult the official repository at https://github.com/leefish/filethingie for the most recent stable release and security patches. If an immediate upgrade is not feasible, implement network-level access controls to restrict the 'create folder from URL' endpoint to trusted IP ranges only, and consider disabling this feature entirely if it is not critical to operations. Additionally, review recent access logs for any suspicious requests targeting path traversal sequences (../, ..\, %2e%2e%2f) directed at the folder creation endpoint, and audit the file system for any unauthorized access or data exfiltration. Monitor the vendor repository and security advisories for official guidance on patched versions.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13742