CVE-2026-33329

HIGH

FileRise: Path Traversal in `resumableIdentifier` Leading to Arbitrary File Write, Recursive Directory Deletion, and Limited Existence Oracle

Title source: cna
STIX 2.1

Description

FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is concatenated directly into filesystem paths without any sanitization. An authenticated user with upload permission can exploit this to write files to arbitrary directories on the server, delete arbitrary directories via the post-assembly cleanup, and probe file/directory existence. This issue has been patched in version 3.10.0.

References (3)

Scores

CVSS v3 8.1
EPSS 0.0009
EPSS Percentile 24.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-22 CWE-73
Status published
Products (2)
error311/FileRise >= 1.0.1, < 3.10.0
filerise/filerise 1.0.1 - 3.10.0
Published Mar 24, 2026
Tracked Since Mar 25, 2026