CVE-2026-44460

Name of the Vulnerable Software and Affected Versions FileRise versions prior to 3.12.0

Description FileRise is a self-hosted web-based file manager. The endpoint '/api/totp setup.php' can be accessed by a session that has only completed the password verification (state pending login user). If the target account has Time-based One-Time Password (TOTP) configured, the endpoint decrypts and returns the existing TOTP secret within a QR PNG image. An attacker with the victim's password can retrieve this secret, generate a valid one-time code, and submit it to the '/api/totp verify.php' endpoint to gain a fully authenticated session without the physical authenticator device.

Recommendations Update to version 3.12.0.