CVE-2026-33477

MEDIUM

FileRise has incorrect authorization in /api/file/snippet.php allows read_own users to read other users’ file content

Title source: cna

Description

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an authenticated user with only `read_own` access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the `read_own` enforcement for hover previews. Version 3.11.0 fixes the issue.

References (2)

[X_Refsource_Confirm] https://github.com/error311/FileRise/security/advisories/GHSA-62wx-vp78-2p83

[X_Refsource_Misc] https://github.com/error311/FileRise/releases/tag/v3.11.0

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 9.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-863

Status published

Products (2)

error311/FileRise >= 2.3.7, < 3.11.0

filerise/filerise 2.3.7 - 3.11.0

Published Mar 26, 2026

Tracked Since Mar 26, 2026