CVE-2026-30578 identifies a Cross Site Scripting (XSS) vulnerability in File Thinghie version 2.5.7, a web-based file management application. The vulnerability stems from inadequate input validation and output encoding of the 'dir' parameter in HTTP GET requests. An attacker can craft a malicious URL containing JavaScript code within the 'dir' parameter, which, when accessed by a victim, executes in the victim's browser under the domain of the vulnerable application. This execution context allows attackers to perform actions such as stealing session cookies, redirecting users to malicious sites, or executing arbitrary scripts that compromise user data or integrity. The vulnerability does not require user authentication, increasing its risk profile. Although no public exploits are currently known, the simplicity of the attack vector and the commonality of XSS vulnerabilities make it a significant threat. The absence of a CVSS score suggests the need for a manual severity assessment. The vulnerability affects all instances running the specified version, and without available patches or mitigations listed, organizations must rely on input filtering, web application firewalls, or upgrading to a fixed version once available.

The impact of this XSS vulnerability can be substantial for organizations using File Thinghie 2.5.7. Successful exploitation can lead to theft of sensitive user information such as session tokens and credentials, enabling unauthorized access to user accounts and potentially the underlying file system managed by the application. It can also facilitate phishing attacks by injecting malicious content or redirects, damaging organizational reputation and user trust. For environments where File Thinghie is used to manage critical or sensitive files, the integrity and confidentiality of data are at risk. Additionally, attackers could leverage the vulnerability as a foothold for further attacks within the network. The lack of authentication requirements and the ease of exploitation increase the likelihood of widespread attacks if the vulnerability is publicly disclosed or weaponized.

To mitigate this vulnerability, organizations should immediately implement strict input validation and output encoding for the 'dir' parameter to neutralize malicious scripts. Deploying a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting this parameter can provide an effective temporary defense. Monitoring web server logs for suspicious requests containing script tags or unusual characters in the 'dir' parameter is recommended to detect attempted exploitation. Users should be educated about the risks of clicking untrusted links. Organizations should track vendor advisories for patches or updates addressing this vulnerability and apply them promptly once available. If upgrading is not immediately possible, consider isolating the File Thinghie instance behind network segmentation and restricting access to trusted users only. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the application.