CVE-2026-54414
Received Received - Intake
Path Traversal in FileRise Before 3.16.0

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), leading to arbitrary file write and administrator account takeover. The upload filename is validated by FolderController with basename() and REGEX_FILE_NAME, which permit URL-encoded sequences (the regex blocks / and \ but not %). The raw filename is then passed to UploadModel::handleUpload, where it is reconstructed as trim(urldecode(basename($fileName))), re-introducing path separators after validation (e.g. ..%2fusers%2fusers.txt becomes ../users/users.txt). UploadNamePolicy::isAllowedForWrite() applies basename() internally and therefore only evaluates the final component (users.txt), allowing the traversal sequence to pass the extension policy. The destination path is then used directly in move_uploaded_file() with no realpath containment check, allowing a write outside the intended upload directory. An attacker who possesses a valid, non-expired, upload-enabled shared-folder link/token (which are designed to be shared publicly) can overwrite users/users.txt to create an administrator account, resulting in unauthenticated admin takeover and, depending on configuration, remote code execution. Exploitation requires possession of a valid, non-expired, upload-enabled shared-folder link/token. This issue is fixed in 3.16.0, which URL-decodes before validation and rejects any path separators in the upload filename.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-54414
EUVD
EUVD-2026-37993
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
error311 filerise to 3.16.0 (exc)
error311 filerise 3.15.0
error311 filerise 3.16.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54414 is a path traversal vulnerability in FileRise versions before 3.16.0, specifically in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php). The vulnerability arises because the filename validation allows URL-encoded sequences that can be decoded into path traversal characters (like ../), enabling an attacker to write files outside the intended upload directory.

An attacker with a valid, non-expired, upload-enabled shared-folder link or token can exploit this flaw to overwrite arbitrary files, including creating an administrator account. This can lead to unauthenticated administrator takeover and potentially remote code execution depending on the configuration.

The issue is due to improper validation where the filename is first validated with basename() and a regex that blocks slashes but not percent-encoded characters, then later URL-decoded and reconstructed, reintroducing path separators. The destination path is used directly in move_uploaded_file() without containment checks, allowing writes outside the intended directory.

This vulnerability was fixed in FileRise version 3.16.0 by URL-decoding the filename before validation and rejecting any path separators in the upload filename.

Impact Analysis

Exploitation of this vulnerability allows an attacker to write arbitrary files on the server hosting FileRise, which can lead to severe consequences.

  • Unauthenticated administrator account takeover by overwriting user files to create admin credentials.
  • Potential remote code execution depending on the server configuration, allowing full control over the affected system.
  • Unauthorized modification or replacement of files, leading to data integrity issues and possible service disruption.
Detection Guidance

Detection of this vulnerability involves identifying if your FileRise installation is a version prior to 3.16.0 and if it has exposed upload-enabled shared-folder links or tokens that could be exploited.

Since exploitation requires possession of a valid, non-expired, upload-enabled shared-folder link/token, monitoring access logs for unusual or unauthorized upload attempts to the /api/folder/uploadToSharedFolder.php endpoint may help detect exploitation attempts.

Specific commands are not provided in the available resources, but general approaches include:

  • Checking the FileRise version installed (e.g., via command line or application interface) to confirm if it is older than 3.16.0.
  • Reviewing web server logs for POST requests to /api/folder/uploadToSharedFolder.php with suspicious filename parameters containing URL-encoded path traversal sequences (e.g., %2f).
  • Using network monitoring tools to detect unusual upload activity or attempts to write files outside intended directories.
Mitigation Strategies

The primary mitigation step is to upgrade FileRise to version 3.16.0 or later, which includes fixes that reject encoded path separators during uploads and properly validate upload filenames.

Additional recommended steps include:

  • Configure trusted proxy source validation for proxy-header login as per the security hardening measures in the patched release.
  • Block password-only WebDAV login for TOTP-enabled accounts to reduce attack surface.
  • Apply blocked upload filename policies before archive extraction to prevent malicious file uploads.
  • Prevent reopening of first-run setup after initial admin creation to avoid unauthorized admin account creation.
  • Review and adjust WebDAV access for TOTP-enabled accounts as advised.
Compliance Impact

The vulnerability in FileRise allows an attacker with a valid upload-enabled shared-folder link/token to perform arbitrary file writes and potentially take over an administrator account. This unauthorized access and control could lead to exposure or manipulation of sensitive data, which may violate data protection requirements under regulations such as GDPR and HIPAA.

Because the vulnerability enables unauthenticated administrative takeover and possibly remote code execution, it undermines the confidentiality, integrity, and availability of data managed by FileRise. This could result in non-compliance with standards that require strict access controls, auditability, and protection of personal or health information.

Organizations using vulnerable versions of FileRise prior to 3.16.0 may face increased risk of data breaches or unauthorized data manipulation, which are critical compliance concerns under GDPR, HIPAA, and similar regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54414. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart