{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30578", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-23T14:06:08.500Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-20T17:16:17.748Z"}, "descriptions": [{"lang": "en", "value": "File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the \"dir\" parameter of the GET request to invoke arbitrary javascript code."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/leefish/filethingie"}, {"url": "https://github.com/SpeWnz/Vulnerability-Research/tree/main/CVE-2026-30578"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T14:06:05.641341Z", "id": "CVE-2026-30578", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:06:08.500Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30578", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T14:06:05.641341Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:05:56.491Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/leefish/filethingie"}, {"url": "https://github.com/SpeWnz/Vulnerability-Research/tree/main/CVE-2026-30578"}], "descriptions": [{"lang": "en", "value": "File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the \"dir\" parameter of the GET request to invoke arbitrary javascript code."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-20T17:16:17.748Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30578", "state": "PUBLISHED", "dateUpdated": "2026-03-23T14:06:08.500Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:leefish:file_thingie:2.5.7:*:*:*:*:*:*:*", "matchCriteriaId": "AEFFC71B-7FE1-4570-AA17-5E9E300B8EA9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the \"dir\" parameter of the GET request to invoke arbitrary javascript code."}, {"lang": "es", "value": "File Thinghie 2.5.7 es vulnerable a Cross Site Scripting (XSS). Un usuario malicioso puede aprovechar el par\u00e1metro 'dir' de la solicitud GET para invocar c\u00f3digo javascript arbitrario."}], "id": "CVE-2026-30578", "lastModified": "2026-04-01T19:00:07.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-20T18:16:13.203", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/SpeWnz/Vulnerability-Research/tree/main/CVE-2026-30578"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/leefish/filethingie"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.5.7"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 98.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "file_thingie", "vendor": "leefish"}], "analysis": {"en": {"generated_at": "2026-04-02T05:26:16.734669+00:00", "value": {"mitigation_remediation": ["Apply any available File Thinghie version 2.5.8 or later that patches the XSS flaw.", "If no patch is available, sanitize or encode the 'dir' parameter before reflecting it in the response, or reject the request if the value does not match a whitelist of allowed directory names."], "summary": {"action": "Mitigate", "impact": "Cross\u2011Site Scripting (client\u2011side code execution) via GET 'dir' parameter"}, "threat_synthesis": {"affected_systems": "The vulnerability is confined to installations running the specific \"leefish\" File Thinghie product version 2.5.7. No other versions or related products are listed as affected.", "description_and_impact": "File Thinghie version 2.5.7 contains a reflected Cross\u2011Site Scripting flaw that allows an attacker to inject and execute arbitrary JavaScript code in the victim\u2019s browser. The missing input validation on the \"dir\" query parameter leads to script execution on page load, creating risks of session hijacking, cookie theft, defacement and further client\u2011side attacks that affect confidentiality, integrity and user experience.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS rate below 1% suggests a low probability of active exploitation at this time. The flaw is not present in CISA\u2019s KEV catalog, implying no widely confirmed exploitation. The likely attack path requires a victim to visit a crafted URL containing malicious JavaScript in the \"dir\" parameter \u2013 for example via social\u2011engineering or phishing emails \u2013 to trigger reflected execution in their browser."}}}}, "created": "2026-03-23T09:54:18.361421+00:00", "updated": "2026-04-02T07:59:36.444286+00:00", "vendors": ["leefish", "leefish$PRODUCT$file_thingie"]}