Skip to main content

Filerise CVE-2026-33330

| EUVD-2026-14994 HIGH
Incorrect Authorization (CWE-863)
2026-03-24 GitHub_M
Authentication Bypass Filerise
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:17 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.10.0
EUVD ID Assigned
Mar 24, 2026 - 19:30 euvd
EUVD-2026-14994
Analysis Generated
Mar 24, 2026 - 19:30 vuln.today
CVE Published
Mar 24, 2026 - 19:15 nvd
HIGH 7.1

DescriptionGitHub Advisory

FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.10.0, a broken access control issue in FileRise's ONLYOFFICE integration allows an authenticated user with read-only access to obtain a signed save callbackUrl for a file and then directly forge the ONLYOFFICE save callback to overwrite that file with attacker-controlled content. This issue has been patched in version 3.10.0.

AnalysisAI

A broken access control vulnerability in FileRise's ONLYOFFICE integration allows authenticated users with read-only permissions to overwrite files with malicious content by forging ONLYOFFICE save callbacks using legitimately obtained signed callbackUrls. FileRise versions prior to 3.10.0 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as read-only user
Exploit
Request signed ONLYOFFICE save callback URL
Execution
Forge ONLYOFFICE save callback request
Impact
Overwrite target file with malicious content
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires FileRise versions prior to 3.10.0 with ONLYOFFICE integration enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS score of 7.1 (High) reflects significant integrity impact with low confidentiality impact and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid low-privilege account (read-only access) authenticates to FileRise and navigates to a sensitive document they can view but not modify. They initiate an ONLYOFFICE editing session, which generates a legitimate signed callbackUrl for save operations. …
Remediation Upgrade FileRise to version 3.10.0 or later, which contains the patch for this broken access control issue. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all FileRise deployments and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-33330 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy