CVE-2026-33330

HIGH

FileRise ONLYOFFICE integration allows read-only users to overwrite files via forged save callback

Title source: cna

Description

FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.10.0, a broken access control issue in FileRise's ONLYOFFICE integration allows an authenticated user with read-only access to obtain a signed save callbackUrl for a file and then directly forge the ONLYOFFICE save callback to overwrite that file with attacker-controlled content. This issue has been patched in version 3.10.0.

References (3)

Scores

CVSS v3 7.1
EPSS 0.0001
EPSS Percentile 1.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Details

CWE
CWE-863
Status published
Products (2)
error311/FileRise < 3.10.0
filerise/filerise < 3.10.0
Published Mar 24, 2026
Tracked Since Mar 25, 2026