CVE-2026-33071
Remote Code Execution via Unvalidated WebDAV Upload in FileRise
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filerise | filerise | to 3.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33071 is a vulnerability in FileRise versions prior to 3.8.0 where the WebDAV upload endpoint does not validate filenames properly. Unlike the regular upload path that enforces strict filename validation, the WebDAV upload methods accept filenames directly from the client without any checks.'}, {'type': 'paragraph', 'content': "This allows authenticated users to upload files with dangerous extensions such as .phtml, .php5, .php7, .htaccess, and other server-side executable types. In deployments without Apache's LocationMatch protection, this can lead to remote code execution by allowing these uploaded files to be executed on the server."}, {'type': 'paragraph', 'content': 'The root cause is the lack of centralized filename validation on the WebDAV write path, which was fixed in version 3.8.0 by introducing a centralized upload name policy that enforces strict filename restrictions across all file-write operations.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "If you are using FileRise versions prior to 3.8.0 and your deployment lacks Apache's LocationMatch protection or uses alternative server configurations like nginx reverse proxy, this vulnerability can allow an authenticated user to upload and execute malicious server-side scripts."}, {'type': 'paragraph', 'content': 'This can lead to remote code execution (RCE), enabling attackers to run arbitrary code on your server, potentially compromising the entire system.'}, {'type': 'paragraph', 'content': 'In default Docker deployments with Apache protections, the impact is limited to arbitrary file write without direct RCE, but in custom deployments, the risk is significantly higher.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of files with dangerous extensions such as .phtml, .php5, .php7, .pht, .phps, .htaccess, .shtml, .cgi, .pl, and .py uploaded via the WebDAV endpoint. Since the WebDAV upload endpoint accepts any file extension without validation in vulnerable versions, you can look for such files in the upload directories.'}, {'type': 'paragraph', 'content': 'You can also monitor HTTP responses for WebDAV upload requests that return HTTP 201 Created status codes, indicating successful uploads of potentially dangerous files.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious files on the server include:'}, {'type': 'list_item', 'content': "Find files with dangerous extensions in the upload directory: `find /path/to/uploads -type f \\( -name '*.phtml' -o -name '*.php5' -o -name '*.php7' -o -name '*.pht' -o -name '*.phps' -o -name '.htaccess' -o -name '*.shtml' -o -name '*.cgi' -o -name '*.pl' -o -name '*.py' \\)`"}, {'type': 'list_item', 'content': 'Check WebDAV server logs for PUT requests that resulted in HTTP 201 Created responses, indicating file uploads.'}, {'type': 'list_item', 'content': 'Use network monitoring tools to inspect WebDAV traffic for file uploads with suspicious filenames or extensions.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary immediate mitigation is to upgrade FileRise to version 3.8.0 or later, where the vulnerability is fixed by implementing a centralized filename validation policy for all file uploads, including WebDAV.'}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, ensure that your deployment uses default protections such as Apache's LocationMatch directive to block direct access to the uploads directory and that .htaccess files are not processed (AllowOverride None). This limits the impact by preventing remote code execution."}, {'type': 'paragraph', 'content': 'Additionally, review and harden your web server configuration to prevent execution of uploaded files with dangerous extensions, especially if using non-default deployments like nginx reverse proxy or modified Apache configurations.'}, {'type': 'paragraph', 'content': 'Consider monitoring and restricting WebDAV upload access to trusted authenticated users only.'}] [1, 2]