CVE-2026-33329
Received Received - Intake

Path Traversal in FileRise Resumable.js Allows Arbitrary File Write

Vulnerability report for CVE-2026-33329, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description

FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is concatenated directly into filesystem paths without any sanitization. An authenticated user with upload permission can exploit this to write files to arbitrary directories on the server, delete arbitrary directories via the post-assembly cleanup, and probe file/directory existence. This issue has been patched in version 3.10.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-07-06
AI Q&A
2026-03-24
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
filerise filerise From 1.0.1 (inc) to 3.10.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade FileRise to version 3.10.0 or later, where the issue has been patched.

Additionally, restrict upload permissions to only trusted authenticated users to reduce the risk of exploitation.

Impact Analysis

The vulnerability can have serious impacts including unauthorized file writes to arbitrary directories, which can lead to data corruption or unauthorized data placement. It also allows deletion of arbitrary directories, potentially causing data loss. Additionally, it enables an attacker to probe the existence of files or directories, which can be used for further attacks or information gathering.

Compliance Impact

I don't know

Detection Guidance

I don't know

Executive Summary

This vulnerability exists in FileRise, a self-hosted web file manager and WebDAV server, in versions from 1.0.1 up to but not including 3.10.0. It involves the resumableIdentifier parameter used in the Resumable.js chunked upload handler. The parameter is concatenated directly into filesystem paths without any sanitization, which means an authenticated user with upload permission can manipulate this parameter to write files to arbitrary directories on the server, delete arbitrary directories during cleanup, and probe for the existence of files or directories.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33329. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart