← back
CVE-2019-25471

FileThingie 2.5.7 Arbitrary File Upload via ft2.php

CVSS 9.3 CRITICALEPSS 0.9%CWE-22
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.3EPSS 0.9%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
11 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, and execute arbitrary commands through the extracted PHP files.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N