What is the CVSS score of CVE-2026-33329?

CVE-2026-33329 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Filerise are affected by CVE-2026-33329?

FileRise self-hosted file manager contains a high-severity path traversal vulnerability (CVE-2026-33329, CVSS 8.1) that allows authenticated users with upload permissions to write files to arbitrary…. A patch is available.

How to fix or mitigate CVE-2026-33329?

Within 24 hours: Identify all FileRise instances in your environment and confirm current version and whether users with upload permissions exist. Within 7 days: Apply the vendor-released patch to all FileRise deployments; restrict upload permissions to only essential users pending patching. Within 30 days: Conduct filesystem integrity audit on affected FileRise systems to detect unauthorized file writes or deletions; review access logs for suspicious upload activity during the vulnerability window.

Filerise CVE-2026-33329

EUVD-2026-14992 HIGH

Path Traversal (CWE-22)

2026-03-24 GitHub_M

Path Traversal Filerise

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:17 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3.10.0

EUVD ID Assigned

Mar 24, 2026 - 19:30 euvd

EUVD-2026-14992

Analysis Generated

Mar 24, 2026 - 19:30 vuln.today

CVE Published

Mar 24, 2026 - 19:14 nvd

HIGH 8.1

DescriptionGitHub Advisory

FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is concatenated directly into filesystem paths without any sanitization. An authenticated user with upload permission can exploit this to write files to arbitrary directories on the server, delete arbitrary directories via the post-assembly cleanup, and probe file/directory existence. This issue has been patched in version 3.10.0.

AnalysisAI

FileRise, a self-hosted web file manager and WebDAV server, contains a path traversal vulnerability in its Resumable.js chunked upload handler where the resumableIdentifier parameter is concatenated into filesystem paths without sanitization. Authenticated users with upload permissions can exploit this to write files to arbitrary directories, delete arbitrary directories, and probe filesystem structure. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as user with upload permission

Delivery

Craft malicious resumableIdentifier with path traversal

Exploit

Inject directory traversal sequences into chunked upload

Execution

Write files to arbitrary filesystem locations

Impact

Execute post-assembly cleanup to delete directories