CVE-2026-33329

Name of the Vulnerable Software and Affected Versions FileRise versions 1.0.1 through 3.9.9

Description FileRise is a self-hosted web file manager and WebDAV server. The resumableIdentifier parameter within the Resumable.js chunked upload handler, specifically the UploadModel::handleUpload() function, is directly incorporated into filesystem paths without proper sanitization. An authenticated user possessing upload privileges can leverage this to write files to arbitrary directories on the server, delete directories, and determine the existence of files and directories. The issue is addressed in version 3.10.0.

Recommendations Update to version 3.10.0 or later.