Plattform
php
Komponente
filerise
Behoben in
3.8.1
CVE-2026-33070 is a denial-of-service (DoS) vulnerability affecting FileRise, a self-hosted web file manager and WebDAV server. This vulnerability allows unauthenticated users to delete file share links, effectively denying access to shared files. The issue impacts versions of FileRise prior to 3.8.0 and has been resolved in version 3.8.0.
An attacker can exploit this vulnerability by sending a simple HTTP request to the /api/file/deleteShareLink.php endpoint with a valid share token. Because the endpoint lacks authentication and authorization checks, any unauthenticated user can delete share links, rendering them inaccessible to legitimate users. This effectively disrupts shared file access and can cause significant inconvenience or data loss depending on the importance of the shared files. The blast radius is limited to users relying on the affected share links; however, the ease of exploitation makes it a potential target for widespread abuse.
This vulnerability was publicly disclosed on 2026-03-20. No public proof-of-concept (PoC) code has been released at the time of writing, but the simplicity of the attack suggests a low barrier to entry for exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 3.7 (LOW) reflects the limited impact and ease of mitigation.
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33070 is to upgrade FileRise to version 3.8.0 or later, which includes the necessary authentication and authorization checks. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /api/file/deleteShareLink.php endpoint from unauthenticated users. Additionally, review and restrict access to the FileRise server to minimize potential attack surface. After upgrade, confirm the fix by attempting to delete a share link without authentication; the request should be rejected.
Actualice FileRise a la versión 3.8.0 o superior. Esta versión corrige la vulnerabilidad de eliminación de enlaces compartidos no autenticados. La actualización evitará que usuarios no autorizados eliminen enlaces compartidos, restaurando el acceso seguro a los archivos compartidos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33070 is a denial-of-service vulnerability in FileRise versions prior to 3.8.0. Unauthenticated users can delete file share links, disrupting shared file access.
You are affected if you are running FileRise version 3.8.0 or earlier. Upgrade to 3.8.0 to mitigate the vulnerability.
Upgrade FileRise to version 3.8.0. As a temporary workaround, restrict access to the /api/file/deleteShareLink.php endpoint using a WAF or proxy.
As of the publication date, there is no evidence of active exploitation of CVE-2026-33070 in the wild.
Refer to the official FileRise advisory for detailed information and updates regarding CVE-2026-33070.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.