CVE-2026-33071HIGH 8.8EPSS p45.0%

CVE-2026-33071CVE-2026-33071

Description

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular upload path. In non-default deployments lacking Apache's LocationMatch protection, this leads to remote code execution. When files are uploaded via WebDAV, the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php accept the filename directly from the WebDAV client without any validation. In contrast, the regular upload endpoint in UploadModel::upload() validates filenames against REGEX_FILE_NAME. This issue is fixed in version 3.8.0.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.62% probability of exploitation · percentile 45.0% · 2026-06-19T12:03:05Z
Published2026-03-20
Last modified2026-03-23

Underlying weaknesses· 2

CWE-434CWE-552

References

  1. https://github.com/error311/FileRise/releases/tag/v3.8.0
  2. https://github.com/error311/FileRise/security/advisories/GHSA-46gv-gf5f-wvr2

2

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live
WeaknessFiles or Directories Accessible to External Partiescwe-5520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33329
CVE
CVE-2025-62510
CVE
CVE-2025-62509
CVE
CVE-2026-44460
CVE
CVE-2025-46001
CVE
CVE-2025-63994
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.