CVE-2026-34745

Name of the Vulnerable Software and Affected Versions Fireshare versions prior to 1.5.3

Description Fireshare allows self-hosted media and link sharing. Prior to version 1.5.3, a flaw existed in the /api/uploadChunked/public endpoint where an unauthenticated attacker could manipulate the checkSum parameter to write arbitrary files with attacker-controlled content to any writable path on the server filesystem. The fix for a related issue was applied to the authenticated /api/uploadChunked endpoint but not to the unauthenticated one. This allows for remote code execution.

Recommendations Update to version 1.5.3 or later.