CVE-2023-53942 CRITICAL

CVE-2023-53942: File Thingie 2.5.7 Authenticated Arbitrary File Upload Remote Code Execution

Vendor Leefish
Product File Thingie
Weakness CWE-434 · Unrestricted file upload
Published December 18, 2025
Last update April 7, 2026

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with a command parameter.

Key dates

02Disclosure timeline

December 18, 2025 CVE published
April 7, 2026 Record updated