CVE-2026-33329
Received Received - Intake
Path Traversal in FileRise Resumable.js Allows Arbitrary File Write

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is concatenated directly into filesystem paths without any sanitization. An authenticated user with upload permission can exploit this to write files to arbitrary directories on the server, delete arbitrary directories via the post-assembly cleanup, and probe file/directory existence. This issue has been patched in version 3.10.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33329
EUVD
EUVD-2026-14992
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filerise filerise From 1.0.1 (inc) to 3.10.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade FileRise to version 3.10.0 or later, where the issue has been patched.

Additionally, restrict upload permissions to only trusted authenticated users to reduce the risk of exploitation.

Impact Analysis

The vulnerability can have serious impacts including unauthorized file writes to arbitrary directories, which can lead to data corruption or unauthorized data placement. It also allows deletion of arbitrary directories, potentially causing data loss. Additionally, it enables an attacker to probe the existence of files or directories, which can be used for further attacks or information gathering.

Compliance Impact

I don't know

Detection Guidance

I don't know

Executive Summary

This vulnerability exists in FileRise, a self-hosted web file manager and WebDAV server, in versions from 1.0.1 up to but not including 3.10.0. It involves the resumableIdentifier parameter used in the Resumable.js chunked upload handler. The parameter is concatenated directly into filesystem paths without any sanitization, which means an authenticated user with upload permission can manipulate this parameter to write files to arbitrary directories on the server, delete arbitrary directories during cleanup, and probe for the existence of files or directories.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33329. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart