{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30579", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-23T14:07:00.510Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-20T17:17:02.759Z"}, "descriptions": [{"lang": "en", "value": "File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the \"upload file\" functionality to upload a file with a crafted file name used to trigger a Javascript payload."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/leefish/filethingie"}, {"url": "https://github.com/SpeWnz/Vulnerability-Research/tree/main/CVE-2026-30579"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T14:06:41.999001Z", "id": "CVE-2026-30579", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:07:00.510Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30579", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T14:06:41.999001Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:06:57.676Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/leefish/filethingie"}, {"url": "https://github.com/SpeWnz/Vulnerability-Research/tree/main/CVE-2026-30579"}], "descriptions": [{"lang": "en", "value": "File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the \"upload file\" functionality to upload a file with a crafted file name used to trigger a Javascript payload."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-20T17:17:02.759Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30579", "state": "PUBLISHED", "dateUpdated": "2026-03-23T14:07:00.510Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:leefish:file_thingie:2.5.7:*:*:*:*:*:*:*", "matchCriteriaId": "AEFFC71B-7FE1-4570-AA17-5E9E300B8EA9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the \"upload file\" functionality to upload a file with a crafted file name used to trigger a Javascript payload."}, {"lang": "es", "value": "File Thingie 2.5.7 es vulnerable a Cross Site Scripting (XSS). Un usuario malicioso puede aprovechar la funcionalidad de 'subir archivo' para subir un archivo con un nombre de archivo manipulado utilizado para activar una carga \u00fatil de Javascript."}], "id": "CVE-2026-30579", "lastModified": "2026-04-01T19:01:22.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-20T18:16:13.323", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/SpeWnz/Vulnerability-Research/tree/main/CVE-2026-30579"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/leefish/filethingie"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.5.7"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "file_thingie", "vendor": "leefish"}], "analysis": {"en": {"generated_at": "2026-04-02T03:34:20.197749+00:00", "value": {"mitigation_remediation": ["Upgrade to a newer version of File Thingie that removes the XSS vulnerability.", "Implement server\u2011side validation on file names to escape special characters and strip scripts before storage.", "Restrict the upload functionality to authenticated users and enforce least\u2011privilege access.", "Monitor upload logs for abnormal file\u2011name patterns and block suspicious activity."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerable product is File Thingie from the vendor Leefish, specifically version 2.5.7. No other versions are mentioned as affected.", "description_and_impact": "File Thingie 2.5.7 allows a malicious user to inject arbitrary JavaScript by uploading a file whose name contains a payload. This stored cross\u2011site scripting flaw can execute in the browser of any visitor who views the uploaded file, enabling session hijacking, phishing, or defacement. The weakness is identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score is 6.5, indicating moderate severity, and the EPSS score is below 1\u202f%, suggesting low current exploitation probability. The flaw is not listed in CISA\u2019s KEV catalog. Attackers can trigger the XSS simply by accessing the upload page and supplying a crafted file name, so no privileged access is required. If the application is publicly reachable, every end\u2011user could be impacted by the injected code."}}}}, "created": "2026-03-23T09:54:17.225196+00:00", "updated": "2026-04-02T07:59:35.253090+00:00", "vendors": ["leefish", "leefish$PRODUCT$file_thingie"]}