CVE-2026-33071 in FileRise
Summary
by MITRE • 03/20/2026
FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular upload path. In non-default deployments lacking Apache's LocationMatch protection, this leads to remote code execution. When files are uploaded via WebDAV, the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php accept the filename directly from the WebDAV client without any validation. In contrast, the regular upload endpoint in UploadModel::upload() validates filenames against REGEX_FILE_NAME. This issue is fixed in version 3.8.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-33071 affects FileRise, a self-hosted web file manager and WebDAV server implementation that has been identified as susceptible to remote code execution through improper filename validation mechanisms. This flaw exists in versions prior to 3.8.0 and represents a critical security oversight that directly impacts the integrity and confidentiality of deployed systems. The vulnerability stems from a fundamental design inconsistency where the WebDAV upload endpoint fails to enforce the same filename validation controls that are applied to regular file uploads, creating an exploitable gap in the application's security posture.
The technical implementation of this vulnerability resides in the differential handling of file uploads between WebDAV and standard upload mechanisms within FileRise's codebase. Specifically, the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php directly accept filenames provided by WebDAV clients without any validation, while the conventional upload path in UploadModel::upload() properly validates filenames against the REGEX_FILE_NAME pattern. This inconsistency allows malicious actors to upload files with server-side executable extensions such as .phtml, .php5, and .htaccess, which can subsequently be executed by the web server when accessed through the application's interface. The vulnerability operates at the application layer and represents a classic case of insufficient input validation that enables arbitrary file upload attacks.
The operational impact of this vulnerability extends beyond simple data compromise to encompass full system compromise when deployed in non-default configurations. In environments lacking Apache's LocationMatch protection, uploaded executable files can be directly executed by the web server, providing attackers with remote code execution capabilities. This vulnerability aligns with CWE-434, which addresses the insecure upload of executable files, and demonstrates how improper access control and validation mechanisms can lead to severe consequences. The attack vector is particularly concerning because it leverages legitimate WebDAV functionality to bypass security controls, making detection more difficult and exploitation more straightforward. Security researchers have documented similar patterns in other file management systems where WebDAV endpoints bypassed the same validation mechanisms that protect standard upload paths.
The remediation strategy for this vulnerability requires immediate deployment of FileRise version 3.8.0, which addresses the inconsistent validation logic by ensuring that WebDAV upload endpoints apply the same filename restrictions as regular upload mechanisms. Organizations should also implement additional defensive measures including restricting WebDAV access to trusted networks, implementing proper file type filtering at the web server level, and conducting regular security audits of file upload mechanisms. From an ATT&CK perspective, this vulnerability maps to T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter), as it enables attackers to execute malicious code on compromised systems. System administrators should also consider implementing network-based intrusion detection systems to monitor for suspicious WebDAV activity and file upload patterns that could indicate exploitation attempts. The vulnerability serves as a reminder of the critical importance of consistent security controls across all application interfaces and the necessity of comprehensive input validation throughout the software development lifecycle.