PT-2026-44053 · Filerise · Filerise

Qiaonpc

·

Published

2026-05-27

·

Updated

2026-05-27

·

CVE-2026-44460

CVSS v3.1

7.4

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions FileRise versions prior to 3.12.0
Description FileRise is a self-hosted web-based file manager. The endpoint '/api/totp setup.php' can be accessed by a session that has only completed the password verification (state pending login user). If the target account has Time-based One-Time Password (TOTP) configured, the endpoint decrypts and returns the existing TOTP secret within a QR PNG image. An attacker with the victim's password can retrieve this secret, generate a valid one-time code, and submit it to the '/api/totp verify.php' endpoint to gain a fully authenticated session without the physical authenticator device.
Recommendations Update to version 3.12.0.

Exploit

Fix

Improper Authentication

Information Disclosure

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44460
GHSA-84HW-8G73-V3F8

Affected Products

Filerise