CVE-2026-33071

Name of the Vulnerable Software and Affected Versions FileRise versions prior to 3.8.0

Description FileRise is a self-hosted web file manager and WebDAV server. Prior to version 3.8.0, the WebDAV upload endpoint accepts any file extension, including .phtml, .php5, .htaccess, and other server-side executable types. This bypasses the filename validation enforced by the regular upload path. In deployments without Apache’s LocationMatch protection, this can lead to remote code execution. The createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php accept filenames directly from the WebDAV client without validation, unlike the regular upload endpoint which uses REGEX FILE NAME for validation.

Recommendations Versions prior to 3.8.0 should be updated to version 3.8.0 or later.