CVE-2026-30579

Name of the Vulnerable Software and Affected Versions File Thingie version 2.5.7

Description File Thingie version 2.5.7 is susceptible to Cross Site Scripting (XSS). A malicious user can exploit the "upload file" functionality by uploading a file with a specially crafted file name to trigger a Javascript payload. The vulnerable functionality involves the processing of uploaded files and their associated names. The filename is not properly sanitized before being used in a web page, allowing for the injection of malicious scripts.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict the types of files that can be uploaded. Sanitize the filename before using it in a web page.