CVE-2023-53942

HIGH

Thingie 2.5.7 - Command Injection

Title source: llm

Description

File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with a command parameter.

Exploits (1)

exploitdb WORKING POC

by Maurice Fielenbach · pythonwebappsphp

https://www.exploit-db.com/exploits/51436

View Code ZIP pw:eip

References (3)

[Product] https://github.com/leefish/filethingie

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/51436

[Third Party Advisory] https://www.vulncheck.com/advisories/file-thingie-authenticated-arbitrary-file-upload-remote-code-execution

Scores

CVSS v3 8.8

EPSS 0.0023

EPSS Percentile 45.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (2)

leefish/File Thingie 2.5.7

leefish/file_thingie 2.5.7

Published Dec 18, 2025

Tracked Since Feb 18, 2026