CVE-2026-33329 in FileRise
Summary
by MITRE • 03/24/2026
FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is concatenated directly into filesystem paths without any sanitization. An authenticated user with upload permission can exploit this to write files to arbitrary directories on the server, delete arbitrary directories via the post-assembly cleanup, and probe file/directory existence. This issue has been patched in version 3.10.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability CVE-2026-33329 affects FileRise, a self-hosted web file manager and WebDAV server that enables users to manage files through web interfaces. This security flaw exists within the resumable.js chunked upload functionality, specifically in the UploadModel::handleUpload() method where the resumableIdentifier parameter is directly incorporated into filesystem paths without proper sanitization or validation. The affected versions range from 1.0.1 through 3.0.9, making a significant portion of the software vulnerable to exploitation by authenticated users who possess upload permissions.
The technical implementation of this vulnerability stems from improper input validation and path construction practices within the file upload handling mechanism. When users initiate chunked file uploads through the resumable.js library, the system processes the resumableIdentifier parameter which contains user-supplied data directly in the filesystem path construction. This lack of sanitization creates a path traversal condition that allows malicious actors to manipulate the upload process to target arbitrary directories on the server filesystem. The vulnerability manifests as a direct concatenation of user-controllable input into system paths, violating fundamental security principles for input validation and access control.
The operational impact of this vulnerability extends beyond simple unauthorized file uploads to encompass full directory traversal capabilities and potential system compromise. An authenticated user can leverage this flaw to write files to any directory accessible by the web server process, effectively bypassing normal file permissions and access controls. Additionally, the vulnerability enables directory deletion capabilities through post-assembly cleanup operations, allowing attackers to remove entire directory structures. The system also becomes vulnerable to directory and file existence probing, which can be used for reconnaissance purposes to map the target filesystem and identify sensitive directories or files. This combination of capabilities makes the vulnerability particularly dangerous as it provides both write and delete operations with directory traversal, creating opportunities for data destruction, privilege escalation, and system compromise.
Security professionals should note this vulnerability maps to CWE-22 Path Traversal and CWE-77 Path Traversal in the Common Weakness Enumeration catalog, with potential ATT&CK framework mappings to T1059 Command and Scripting Interpreter and T1078 Valid Accounts for privilege escalation scenarios. The issue represents a classic example of insecure direct object reference combined with insufficient input validation. Organizations using FileRise versions between 1.0.1 and 3.0.9 should immediately upgrade to version 3.10.0 or later to remediate this vulnerability. Additional mitigations include implementing proper input validation on all user-supplied parameters used in filesystem operations, employing proper path sanitization techniques, and restricting file upload permissions to the minimum necessary for legitimate operations. The vulnerability demonstrates the critical importance of validating and sanitizing all user inputs before using them in system operations, particularly in contexts involving filesystem access or path construction.