CVE-2026-33329 - Vulnerability Analysis

Overview

FileRise 1.0.1 to < 3.10.0 contains a path traversal caused by unsanitized concatenation of resumableIdentifier parameter in UploadModel::handleUpload(), letting authenticated users with upload permission write and delete arbitrary files/directories, exploit requires authenticated upload permission.

Severity & Score

Impact

Authenticated users with upload permission can write and delete arbitrary files/directories, potentially compromising server integrity and data.

Mitigation

Update to version 3.10.0 or later.

References

• https://github.com/error311/FileRise/commit/3871f9fd1661688bed4f7dd23912be0ebf50973c
• https://github.com/error311/FileRise/releases/tag/v3.10.0
• https://github.com/error311/FileRise/security/advisories/GHSA-c2jm-4wp9-5vrh

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 24, 2026

🟠 CVE-2026-33329 - High (8.1) FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is concatenated directly into files... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33329/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner