CVE-2023-53942

HIGH 8.8

File Thingie 2.5.7 Authenticated Arbitrary File Upload Remote Code Execution

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with a command parameter.

CWE	CWE-434
Vendor	leefish
Product	file thingie
Published	Dec 18, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for leefish file thingie

Be the first to know when new high vulnerabilities affecting leefish file thingie are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

leefish / File Thingie

2.5.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/51436 github.com: https://github.com/leefish/filethingie vulncheck.com: https://www.vulncheck.com/advisories/file-thingie-authenticated-arbitrary-file-upload-remote-code-execution

Credits

Maurice Fielenbach (grimlockx) - Hexastrike Cybersecurity UG (haftungsbeschränkt)