CVE-2026-34745
Received Received - Intake
Arbitrary File Write in Fireshare Public Upload Endpoint

Publication date: 2026-04-02

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description
Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint but was not applied to the unauthenticated /api/uploadChunked/public endpoint in the same file (app/server/fireshare/api.py). An unauthenticated attacker can exploit the checkSum parameter to write arbitrary files with attacker-controlled content to any writable path on the server filesystem. This issue has been patched in version 1.5.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34745
EUVD
EUVD-2026-18507
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shaneisrael fireshare to 1.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34745 is a critical path traversal vulnerability in the Fireshare application affecting the unauthenticated public upload endpoint (/api/uploadChunked/public). The vulnerability arises because the checkSum parameter, used to construct the file path for uploaded files, is not properly sanitized or validated. This allows an attacker to craft malicious checkSum values containing directory traversal sequences (like "../") to write arbitrary files with attacker-controlled content to any writable location on the server filesystem without authentication.

The issue was that while the authenticated upload endpoint sanitized the checkSum parameter and enforced path traversal protections, the public upload endpoint did not, enabling unauthorized directory traversal during file uploads.

This vulnerability was fixed in version 1.5.3 by sanitizing the checkSum parameter to allow only alphanumeric characters, underscores, and hyphens, validating the uploaded file, and verifying that the resolved file path stays within the intended upload directory.

Impact Analysis

This vulnerability allows an unauthenticated attacker to write arbitrary files anywhere on the server's filesystem where the application has write permissions. The attacker can control both the file path and the file content.

  • Potential remote code execution by overwriting critical application files such as Python modules.
  • Denial of service by overwriting or corrupting important application or system files.
  • Complete compromise of the server's integrity and availability due to unauthorized file writes.

Because no authentication is required to exploit this vulnerability, the risk and impact are significantly higher.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the unauthenticated endpoint /api/uploadChunked/public that include crafted checkSum parameters containing path traversal sequences such as "../".

You can look for HTTP POST requests with unusual checkSum values that attempt to write files outside the intended upload directory.

Example commands to detect potential exploitation attempts include:

  • Using grep on web server logs to find suspicious POST requests: grep -i 'POST /api/uploadChunked/public' /var/log/nginx/access.log | grep '\.\./'
  • Using tcpdump or Wireshark to capture and filter HTTP POST requests to the vulnerable endpoint and inspect the checkSum parameter for path traversal patterns.
  • Using intrusion detection systems (IDS) or web application firewalls (WAF) to alert on path traversal patterns in POST parameters targeting /api/uploadChunked/public.
Mitigation Strategies

The immediate mitigation step is to upgrade Fireshare to version 1.5.3 or later, which includes the patch that sanitizes the checkSum parameter and implements path traversal protections on the public upload endpoint.

If upgrading immediately is not possible, consider temporarily disabling the public upload feature or the /api/uploadChunked/public endpoint to prevent unauthenticated uploads.

Additionally, monitor and block suspicious requests that attempt path traversal via the checkSum parameter.

Ensure that the server filesystem permissions restrict write access only to intended directories to limit the impact of any exploitation.

Compliance Impact

CVE-2026-34745 allows unauthenticated attackers to write arbitrary files with attacker-controlled content to any writable path on the server filesystem. This can lead to unauthorized modification or overwriting of critical files, potentially resulting in remote code execution or denial of service.

Such unauthorized file writes and potential system compromise can lead to violations of data integrity and availability requirements found in common standards and regulations like GDPR and HIPAA. For example, GDPR mandates appropriate security measures to protect personal data from unauthorized alteration or destruction, and HIPAA requires safeguards to ensure the integrity and availability of electronic protected health information.

Therefore, if exploited, this vulnerability could cause non-compliance with these regulations by enabling attackers to compromise system integrity and availability, potentially exposing sensitive data or disrupting services.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34745. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart