Platform
python
Component
fireshare
Fixed in
1.5.4
CVE-2026-34745 is a critical Path Traversal vulnerability affecting Fireshare versions prior to 1.5.3. This vulnerability allows an unauthenticated attacker to write arbitrary files to the server's filesystem, potentially leading to complete system compromise. The vulnerability stems from an incomplete fix for a previous issue, CVE-2026-33645, leaving the unauthenticated upload endpoint vulnerable. Version 1.5.3 addresses this issue.
The impact of this vulnerability is severe. An attacker can leverage the /api/uploadChunked/public endpoint to write arbitrary files to any writable location on the server. This could involve overwriting critical system files, injecting malicious code (e.g., web shells), or exfiltrating sensitive data. Successful exploitation could lead to complete server takeover and data breach. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of attackers. The ability to write arbitrary files bypasses standard security controls and allows for persistent backdoors.
This vulnerability was publicly disclosed on 2026-04-02. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation and the critical severity suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring. The vulnerability's similarity to other file upload vulnerabilities suggests that attackers may quickly develop and deploy exploits.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade Fireshare to version 1.5.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /api/uploadChunked/public endpoint with suspicious checkSum parameters. Restrict write permissions on the server filesystem to the minimum necessary for Fireshare's operation. Regularly review and audit server logs for any unusual file creation or modification activity. After upgrading, confirm the fix by attempting a file upload via the vulnerable endpoint and verifying that the upload fails with an appropriate error message.
Update to version 1.5.3 or higher. This version corrects the path traversal vulnerability in the /api/uploadChunked/public endpoint. The update will prevent unauthenticated attackers from writing arbitrary files to the system.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34745 is a critical Path Traversal vulnerability in Fireshare versions prior to 1.5.3, allowing unauthenticated attackers to write arbitrary files to the server's filesystem.
You are affected if you are running Fireshare version 1.5.3 or earlier. Immediately upgrade to the latest version to mitigate the risk.
The recommended fix is to upgrade Fireshare to version 1.5.3 or later. As a temporary workaround, implement a WAF rule to block suspicious requests to the vulnerable endpoint.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. Continuous monitoring is advised.
Refer to the Fireshare project's official website or security advisories for the latest information and updates regarding CVE-2026-34745.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.