Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
FileThingie 2.5.7 allows attackers to upload malicious files via ZIP archives
CVE-2019-25471
Summary
FileThingie's ft2.php endpoint allows attackers to upload ZIP files containing malicious code, which can then be executed on the server. This means that attackers can potentially take control of the server or steal sensitive data. To protect your system, update to a secure version of FileThingie or patch the vulnerable endpoint.
Original title
FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP file...
Original description
FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, and execute arbitrary commands through the extracted PHP files.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-22
Path Traversal
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026