Platform
other
Component
filerise
Fixed in
1.0.2
CVE-2026-33329 describes a Path Traversal vulnerability discovered in FileRise, a self-hosted web file manager and WebDAV server. This flaw allows authenticated users with upload permissions to manipulate file system paths, potentially leading to unauthorized file access and modification. The vulnerability affects versions 1.0.1 through 3.9.9 and has been resolved in version 3.10.0.
The impact of this Path Traversal vulnerability is significant. An attacker, once authenticated and possessing upload privileges, can leverage the resumableIdentifier parameter within the Resumable.js chunked upload handler to write files to any location on the server's file system. This includes overwriting critical system files or injecting malicious code. Furthermore, the attacker can delete arbitrary directories, disrupting service and potentially causing data loss. The ability to probe file and directory existence allows for reconnaissance and further exploitation.
This vulnerability was publicly disclosed on March 24, 2026. No known public exploits or active campaigns have been reported at the time of writing. The vulnerability's impact is amplified by the requirement of authentication, but the ease of exploitation once authenticated makes it a concern for FileRise deployments. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33329 is to immediately upgrade FileRise to version 3.10.0 or later. If upgrading is not immediately feasible, consider implementing strict access controls to limit user upload permissions. Employ a Web Application Firewall (WAF) with rules to sanitize user-supplied input, specifically targeting the resumableIdentifier parameter. Monitor FileRise logs for unusual file access or modification patterns, particularly those involving unexpected directory traversal sequences. Review and restrict the permissions of the user account used by FileRise to minimize the potential damage from a successful exploit.
Actualice FileRise a la versión 3.10.0 o posterior. Esta versión corrige la vulnerabilidad de path traversal en el manejo de subidas de archivos, evitando la escritura y eliminación arbitraria de archivos y directorios en el servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33329 is a Path Traversal vulnerability in FileRise versions 1.0.1 through 3.9.9, allowing authenticated users to write files to arbitrary locations on the server.
You are affected if you are running FileRise versions 1.0.1 through 3.9.9. Upgrade to version 3.10.0 or later to resolve the vulnerability.
Upgrade FileRise to version 3.10.0 or later. As a temporary workaround, restrict user upload permissions and implement WAF rules to sanitize input.
No active exploitation has been reported at this time, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the FileRise project's official website or GitHub repository for the latest security advisories and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.