← back
CVE-2023-53942

File Thingie 2.5.7 Authenticated Arbitrary File Upload Remote Code Execution

CVSS 9.4 CRITICALEPSS 0.5%CWE-434
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.4EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
18 Dec 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with a command parameter.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected products
leefish · File Thingie