CVE-2026-33070

Name of the Vulnerable Software and Affected Versions FileRise versions prior to 3.8.0

Description FileRise is a self-hosted web file manager and WebDAV server. A missing authentication check in the deleteShareLink endpoint allows unauthenticated users to delete arbitrary file share links by providing only the share token, leading to denial of service for shared file access. The /api/file/deleteShareLink.php API endpoint calls the FileController::deleteShareLink() function, which does not perform authentication, authorization, or CSRF validation before deleting a share link. Any anonymous HTTP client can destroy share links. The vulnerable parameter is the share token.

Recommendations Update FileRise to version 3.8.0 or later.