FileRise WebDAV Server Vulnerability in File Upload Handling
CVE-2026-33329

8.1HIGH

Key Information:

Vendor

Error311

Status
Filerise
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33329?

FileRise, the self-hosted web file manager and WebDAV server, contains a vulnerability wherein the 'resumableIdentifier' parameter in the UploadModel's chunked upload handler is appended unvalidated to filesystem paths. This permits an authenticated user with upload privileges to manipulate files and directories on the server, enabling them to write to arbitrary locations and potentially delete directories during post-upload operations. This significant flaw affects versions 1.0.1 through 3.9.9 and has been addressed in version 3.10.0.

Affected Version(s)

FileRise >= 1.0.1, < 3.10.0

References

https://github.com/error311/FileRise/security/advisories/...
x_refsource_CONFIRM
https://github.com/error311/FileRise/commit/3871f9fd16616...
x_refsource_MISC
https://github.com/error311/FileRise/releases/tag/v3.10.0
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.