Home / Vulnerability Intelligence / CVE-2019-25471

CVE-2019-25471 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 11, 2026

FileThingie - Unrestricted File Upload

Published: March 11, 2026Updated: March 11, 2026Remote Exploitable

Overview

FileThingie 2.5.7 contains an unrestricted file upload vulnerability caused by accepting ZIP archives via the ft2.php endpoint, letting attackers upload and execute arbitrary PHP files, exploit requires ability to send crafted ZIP files.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can upload and execute arbitrary PHP code, potentially leading to full server compromise.

Mitigation

Update to the latest version.

References

https://github.com/leefish/filethingie/archive/master.zip
https://www.exploit-db.com/exploits/47349
https://www.vulncheck.com/advisories/filethingie-arbitrary-file-upload-via-ftphp
https://www.vulncheck.com/advisories/filethingie-arbitrary-file-upload-via-ft2-php

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2019-25471
Severity: Critical
CVSS Score: 9.8
Type: unrestricted_file_upload
Status: new

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H