CVE-2026-30578 identifies a Cross Site Scripting (XSS) vulnerability in File Thinghie version 2.5.7, a web-based file management application. The vulnerability arises from improper sanitization of the 'dir' parameter in HTTP GET requests, allowing attackers to inject and execute arbitrary JavaScript code within the context of the victim's browser session. This type of vulnerability is classified under CWE-79. The CVSS 3.1 base score is 6.5, reflecting a medium severity with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating network attack vector, low attack complexity, requiring low privileges, user interaction, and scope change. Successful exploitation can lead to partial compromise of confidentiality, integrity, and availability by executing malicious scripts that could steal session tokens, manipulate displayed content, or perform actions on behalf of the user. No patches or official fixes have been released at the time of publication, and no active exploits have been observed in the wild. The vulnerability affects web servers running File Thinghie 2.5.7, particularly those accessible to untrusted or semi-trusted users. Mitigation requires careful input validation, output encoding, and possibly restricting access to vulnerable parameters. The vulnerability was reserved on March 4, 2026, and published on March 20, 2026.

The impact of CVE-2026-30578 on organizations can be significant, especially for those relying on File Thinghie 2.5.7 for web-based file management. Exploitation can lead to theft of user credentials, session hijacking, unauthorized actions performed on behalf of users, and potential spread of malware via injected scripts. This can compromise sensitive data confidentiality and integrity, disrupt availability through malicious script execution, and damage organizational reputation. Since the vulnerability requires user interaction and low privileges, attackers may target employees or users with limited access to escalate their impact. Organizations with public-facing File Thinghie instances are at higher risk, particularly if they do not implement web application firewalls or input sanitization. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes widely known.

To mitigate CVE-2026-30578, organizations should implement strict input validation and output encoding on the 'dir' parameter to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Limit access to the File Thinghie application to trusted users and networks, using authentication and IP whitelisting where possible. Deploy Web Application Firewalls (WAFs) with rules targeting XSS attack patterns to detect and block malicious requests. Monitor logs for unusual activity related to the 'dir' parameter and user sessions. Until an official patch is released, consider disabling or restricting features that accept user-controlled input in URLs. Educate users about the risks of clicking on suspicious links and encourage the use of updated browsers with built-in XSS protections. Regularly review and update security controls as new information or patches become available.