{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30580", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-23T14:07:54.003Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-20T17:22:06.265Z"}, "descriptions": [{"lang": "en", "value": "File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the \"create folder from url\" functionality of the application to read arbitrary files on the target system."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/leefish/filethingie"}, {"url": "https://github.com/SpeWnz/Vulnerability-Research/tree/main/CVE-2026-30580"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T14:07:47.196179Z", "id": "CVE-2026-30580", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:07:54.003Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30580", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T14:07:47.196179Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:07:37.222Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/leefish/filethingie"}, {"url": "https://github.com/SpeWnz/Vulnerability-Research/tree/main/CVE-2026-30580"}], "descriptions": [{"lang": "en", "value": "File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the \"create folder from url\" functionality of the application to read arbitrary files on the target system."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-20T17:22:06.265Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30580", "state": "PUBLISHED", "dateUpdated": "2026-03-23T14:07:54.003Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:leefish:file_thingie:2.5.7:*:*:*:*:*:*:*", "matchCriteriaId": "AEFFC71B-7FE1-4570-AA17-5E9E300B8EA9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the \"create folder from url\" functionality of the application to read arbitrary files on the target system."}, {"lang": "es", "value": "File Thingie 2.5.7 es vulnerable a Salto de Directorio. Un usuario malintencionado puede aprovechar la funcionalidad 'crear carpeta desde url' de la aplicaci\u00f3n para leer archivos arbitrarios en el sistema objetivo."}], "id": "CVE-2026-30580", "lastModified": "2026-04-01T19:01:34.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-20T18:16:13.433", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/SpeWnz/Vulnerability-Research/tree/main/CVE-2026-30580"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/leefish/filethingie"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.5.7"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "file_thingie", "vendor": "leefish"}], "analysis": {"en": {"generated_at": "2026-04-02T03:35:18.314287+00:00", "value": {"mitigation_remediation": ["Check for and apply any vendor patch or updated release for File Thingie 2.5.7.", "If no patch is available, limit or disable the \"create folder from url\" function in the application configuration or via permission settings.", "Restrict file system permissions so that the application runs with the least privileges necessary to avoid reading sensitive files.", "Monitor application logs for attempts to use the vulnerable feature and investigate unusual file access patterns."], "summary": {"action": "Assess Impact", "impact": "Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "The flaw affects the version 2.5.7 of File Thingie, as identified by the vendor \"leefish\". No other product versions are noted as impacted in the available data.", "description_and_impact": "File Thingie 2.5.7 contains a directory traversal flaw that allows a malicious user to read any file on the target system by abusing the \"create folder from url\" capability. The weakness is a classic directory traversal (CWE-22) that can expose sensitive configuration, credentials, or code. This vulnerability does not directly lead to code execution but can compromise confidentiality and potentially aid in further attacks if exposed files contain exploitable data.", "risk_and_exploitability": "With a CVSS score of 4.3 the risk is moderate, and the EPSS score is below 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. The likely attack vector is via the web interface that exposes the \"create folder from url\" feature, so an attacker would need access to the application, either through a normal user account or an unauthenticated session that permits the feature. This inference is based on the description of the feature and the nature of the flaw."}}}}, "created": "2026-03-23T09:54:19.299814+00:00", "updated": "2026-04-02T07:59:37.602228+00:00", "vendors": ["leefish", "leefish$PRODUCT$file_thingie"]}