Home

Description

File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with a command parameter.

PUBLISHED Reserved 2025-12-16 | Published 2025-12-18 | Updated 2025-12-18 | Assigner VulnCheck




CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Unrestricted Upload of File with Dangerous Type

Product status

2.5.7
affected

Credits

Maurice Fielenbach (grimlockx) - Hexastrike Cybersecurity UG (haftungsbeschränkt) finder

References

www.exploit-db.com/exploits/51436 exploit

www.exploit-db.com/exploits/51436 (ExploitDB-51436) exploit

github.com/leefish/filethingie (Product GitHub Repository) product

www.vulncheck.com/...trary-file-upload-remote-code-execution (VulnCheck Advisory: File Thingie 2.5.7 Authenticated Arbitrary File Upload Remote Code Execution) third-party-advisory

cve.org (CVE-2023-53942)

nvd.nist.gov (CVE-2023-53942)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.