CVE-2026-33329
Path Traversal in FileRise Resumable.js Allows Arbitrary File Write
Publication date: 2026-03-24
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filerise | filerise | From 1.0.1 (inc) to 3.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade FileRise to version 3.10.0 or later, where the issue has been patched.
Additionally, restrict upload permissions to only trusted authenticated users to reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
How can this vulnerability impact me? :
The vulnerability can have serious impacts including unauthorized file writes to arbitrary directories, which can lead to data corruption or unauthorized data placement. It also allows deletion of arbitrary directories, potentially causing data loss. Additionally, it enables an attacker to probe the existence of files or directories, which can be used for further attacks or information gathering.
Can you explain this vulnerability to me?
This vulnerability exists in FileRise, a self-hosted web file manager and WebDAV server, in versions from 1.0.1 up to but not including 3.10.0. It involves the resumableIdentifier parameter used in the Resumable.js chunked upload handler. The parameter is concatenated directly into filesystem paths without any sanitization, which means an authenticated user with upload permission can manipulate this parameter to write files to arbitrary directories on the server, delete arbitrary directories during cleanup, and probe for the existence of files or directories.