CVE-2026-33329HIGH 8.1EPSS p35.3%

CVE-2026-33329CVE-2026-33329

Description

FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is concatenated directly into filesystem paths without any sanitization. An authenticated user with upload permission can exploit this to write files to arbitrary directories on the server, delete arbitrary directories via the post-assembly cleanup, and probe file/directory existence. This issue has been patched in version 3.10.0.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.44% probability of exploitation · percentile 35.3% · 2026-06-18T12:00:27Z
Published2026-03-24
Last modified2026-03-26

Underlying weaknesses· 2

CWE-22CWE-73

References

  1. https://github.com/error311/FileRise/commit/3871f9fd1661688bed4f7dd23912be0ebf50973c
  2. https://github.com/error311/FileRise/releases/tag/v3.10.0
  3. https://github.com/error311/FileRise/security/advisories/GHSA-c2jm-4wp9-5vrh

2

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessExternal Control of File Name or Pathcwe-730%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33071
CVE
CVE-2025-62510
CVE
CVE-2025-62509
CVE
CVE-2026-44460
CVE
CVE-2025-67728
CVE
CVE-2026-33645
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.