{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T06:55:12.820","vulnerabilities":[{"cve":{"id":"CVE-2026-33329","sourceIdentifier":"security-advisories@github.com","published":"2026-03-24T20:16:28.217","lastModified":"2026-03-26T11:59:50.703","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is concatenated directly into filesystem paths without any sanitization. An authenticated user with upload permission can exploit this to write files to arbitrary directories on the server, delete arbitrary directories via the post-assembly cleanup, and probe file/directory existence. This issue has been patched in version 3.10.0."},{"lang":"es","value":"FileRise es un gestor de archivos web / servidor WebDAV autoalojado. Desde la versión 1.0.1 hasta antes de la versión 3.10.0, el parámetro resumableIdentifier en el gestor de carga fragmentada de Resumable.js (UploadModel::handleUpload()) se concatena directamente en las rutas del sistema de archivos sin ninguna sanitización. Un usuario autenticado con permiso de carga puede explotar esto para escribir archivos en directorios arbitrarios en el servidor, eliminar directorios arbitrarios a través de la limpieza posterior al ensamblaje y sondear la existencia de archivos/directorios. Este problema ha sido parcheado en la versión 3.10.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"},{"lang":"en","value":"CWE-73"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:filerise:filerise:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0.1","versionEndExcluding":"3.10.0","matchCriteriaId":"BC501FA6-2BC1-4D24-804D-57D7C060159D"}]}]}],"references":[{"url":"https://github.com/error311/FileRise/commit/3871f9fd1661688bed4f7dd23912be0ebf50973c","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/error311/FileRise/releases/tag/v3.10.0","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/error311/FileRise/security/advisories/GHSA-c2jm-4wp9-5vrh","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}