CVE-2019-25471 CRITICAL

CVE-2019-25471: FileThingie 2.5.7 Arbitrary File Upload via ft2.php

Vendor Filethingie

Product FileThingie

Weakness CWE-22 · Path traversal

Published March 11, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, and execute arbitrary commands through the extracted PHP files.

Key dates

Disclosure timeline

March 11, 2026 CVE published

April 7, 2026 Record updated