CVE-2026-34745

CRITICAL

Fireshare < 1.5.3 - Unauthenticated Path Traversal and Arbitrary File Write

Title source: manual

Description

Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint but was not applied to the unauthenticated /api/uploadChunked/public endpoint in the same file (app/server/fireshare/api.py). An unauthenticated attacker can exploit the checkSum parameter to write arbitrary files with attacker-controlled content to any writable path on the server filesystem. This issue has been patched in version 1.5.3.

References (4)

Scores

CVSS v3 9.1
EPSS 0.0006
EPSS Percentile 18.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (2)
shaneisrael/fireshare < 1.5.3
ShaneIsrael/fireshare < 1.5.3
Published Apr 02, 2026
Tracked Since Apr 03, 2026