CVE-2026-33071

HIGH EPSS 45.3%

Published Mar 20, 20263mo ago · Modified Jun 17, 20261w ago

8.8 CVSS 3.1

High

Published Mar 20, 2026 3mo ago

Last Modified Jun 17, 2026 1w ago

Description

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular upload path. In non-default deployments lacking Apache's LocationMatch protection, this leads to remote code execution. When files are uploaded via WebDAV, the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php accept the filename directly from the WebDAV client without any validation. In contrast, the regular upload endpoint in UploadModel::upload() validates filenames against REGEX_FILE_NAME. This issue is fixed in version 3.8.0.

CVSS Details

Base Score

8.8

Exploitability

2.8

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

45.3% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 2

CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt

CWE-552

Affected Products 1

Vendor	Product	Version	Range
filerise	filerise	*	<3.8.0

References 2

github.com https://github.com/error311/FileRise/releases/tag/v3.8.0

ProductRelease Notes
github.com https://github.com/error311/FileRise/security/advisories/GHSA-46gv-gf5f-wvr2

ExploitMitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.