Home

Description

FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is concatenated directly into filesystem paths without any sanitization. An authenticated user with upload permission can exploit this to write files to arbitrary directories on the server, delete arbitrary directories via the post-assembly cleanup, and probe file/directory existence. This issue has been patched in version 3.10.0.

PUBLISHED Reserved 2026-03-18 | Published 2026-03-24 | Updated 2026-03-25 | Assigner GitHub_M




HIGH: 8.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73: External Control of File Name or Path

Product status

>= 1.0.1, < 3.10.0
affected

References

github.com/...leRise/security/advisories/GHSA-c2jm-4wp9-5vrh

github.com/...ommit/3871f9fd1661688bed4f7dd23912be0ebf50973c

github.com/error311/FileRise/releases/tag/v3.10.0

cve.org (CVE-2026-33329)

nvd.nist.gov (CVE-2026-33329)

Download JSON