Plattform
other
Komponente
filerise
Behoben in
1.0.2
CVE-2026-33329 describes a Path Traversal vulnerability discovered in FileRise, a self-hosted web file manager and WebDAV server. This flaw allows authenticated users with upload permissions to manipulate file system paths, potentially leading to unauthorized file access and modification. The vulnerability impacts versions 1.0.1 through 3.9.9 and has been resolved in version 3.10.0.
The core of this vulnerability lies in the Resumable.js chunked upload handler within FileRise. Specifically, the resumableIdentifier parameter is directly concatenated into file system paths without proper sanitization. This lack of validation enables an attacker to craft malicious upload requests that include directory traversal sequences (e.g., ../../../../). Successful exploitation allows an attacker to write arbitrary files to any location accessible by the FileRise process, potentially overwriting critical system files or injecting malicious code. Furthermore, the cleanup process after assembly can be exploited to delete directories, leading to denial of service or further compromise. The ability to probe file and directory existence also provides reconnaissance capabilities, allowing attackers to map the file system and identify valuable targets.
This vulnerability was publicly disclosed on March 24, 2026. No public proof-of-concept exploits have been observed at the time of writing, but the ease of exploitation makes it a potential target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV. The lack of a public exploit does not diminish the risk, as the vulnerability is relatively straightforward to exploit given authenticated access.
Organizations and individuals using FileRise for self-hosting file management and WebDAV services are at risk. This includes users deploying FileRise on shared hosting environments, as the vulnerability could be exploited by other tenants on the same server. Legacy FileRise installations with outdated configurations and weak access controls are particularly vulnerable.
• linux / server: Monitor FileRise logs for suspicious file creation or deletion attempts, particularly those containing directory traversal sequences (e.g., ../).
journalctl -u FileRise -f | grep -i 'traversal'• generic web: Check FileRise access logs for requests containing unusual paths or directory traversal sequences in the resumableIdentifier parameter.
grep 'resumableIdentifier=../' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.07% (22% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33329 is to immediately upgrade FileRise to version 3.10.0 or later, which includes the necessary sanitization fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious directory traversal sequences in the resumableIdentifier parameter. Carefully review and restrict user permissions related to file uploads to limit the potential impact of a successful attack. Monitor FileRise logs for unusual file access or modification patterns that might indicate exploitation attempts.
Actualice FileRise a la versión 3.10.0 o posterior. Esta versión corrige la vulnerabilidad de path traversal en el manejo de subidas de archivos, evitando la escritura y eliminación arbitraria de archivos y directorios en el servidor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33329 is a Path Traversal vulnerability in FileRise versions 1.0.1 through 3.9.9, allowing authenticated users to write files to arbitrary locations on the server.
You are affected if you are running FileRise versions 1.0.1 through 3.9.9. Upgrade to version 3.10.0 or later to resolve the vulnerability.
Upgrade FileRise to version 3.10.0 or later. As a temporary workaround, restrict user upload permissions and implement WAF rules to sanitize input.
No active exploitation has been reported at this time, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the FileRise project's official website or GitHub repository for the latest security advisories and release notes.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.