Platform
php
Component
filerise
Opgelost in
3.8.1
CVE-2026-33070 is a denial-of-service (DoS) vulnerability affecting FileRise, a self-hosted web file manager and WebDAV server. This vulnerability allows unauthenticated users to delete file share links, effectively denying access to shared files. The issue impacts versions of FileRise prior to 3.8.0 and has been resolved in version 3.8.0.
The primary impact of CVE-2026-33070 is the disruption of shared file access. An attacker can repeatedly delete share links, rendering files inaccessible to legitimate users who rely on those links. While not resulting in data exfiltration or system compromise, this denial of service can significantly impact productivity and collaboration. The ease of exploitation, requiring only the share token and no authentication, increases the potential for widespread disruption, especially in environments with numerous shared files and links. This vulnerability highlights the importance of proper authentication and authorization controls, even for seemingly innocuous endpoints.
CVE-2026-33070 has a LOW CVSS score of 3.7. As of the publication date (2026-03-20), there is no indication of this vulnerability being actively exploited in the wild. No public proof-of-concept (POC) code has been released. The vulnerability is not listed on KEV or EPSS, suggesting a low probability of exploitation. Refer to the official FileRise advisory for further details.
Exploit Status
EPSS
0.04% (13% percentiel)
CISA SSVC
CVSS-vector
The recommended mitigation is to upgrade FileRise to version 3.8.0 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restricting access to the /api/file/deleteShareLink.php endpoint using a web application firewall (WAF) or proxy server can prevent unauthorized access. Alternatively, implement a configuration change to require authentication for this endpoint, although this may require modifying the FileRise code. Monitor FileRise logs for suspicious activity, specifically requests to the /api/file/deleteShareLink.php endpoint originating from unexpected IP addresses. After upgrading, confirm the fix by attempting to access a share link anonymously and verifying that the deletion fails.
Actualice FileRise a la versión 3.8.0 o superior. Esta versión corrige la vulnerabilidad de eliminación de enlaces compartidos no autenticados. La actualización evitará que usuarios no autorizados eliminen enlaces compartidos, restaurando el acceso seguro a los archivos compartidos.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-33070 is a denial-of-service vulnerability in FileRise versions prior to 3.8.0. Unauthenticated users can delete file share links, disrupting shared file access.
You are affected if you are running FileRise version 3.8.0 or earlier. Upgrade to 3.8.0 to mitigate the vulnerability.
Upgrade FileRise to version 3.8.0. As a temporary workaround, restrict access to the /api/file/deleteShareLink.php endpoint using a WAF or proxy.
As of the publication date, there is no evidence of active exploitation of CVE-2026-33070 in the wild.
Refer to the official FileRise advisory for detailed information and updates regarding CVE-2026-33070.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.