What is the CVSS score of CVE-2026-33477?

CVE-2026-33477 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of PHP are affected by CVE-2026-33477?

Organizations using versiosn 2.3.7 should be aware of moderate risk from CVE-2026-33477, a incorrect authorization vulnerability rated CVSS 4.3.. A patch is available.

PHP CVE-2026-33477

EUVD-2026-16277 MEDIUM

Incorrect Authorization (CWE-863)

2026-03-26 GitHub_M

PHP Authentication Bypass File Upload

4.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

3.11.0

EUVD ID Assigned

Mar 26, 2026 - 17:45 euvd

EUVD-2026-16277

Analysis Generated

Mar 26, 2026 - 17:45 vuln.today

CVE Published

Mar 26, 2026 - 17:09 nvd

MEDIUM 4.3

DescriptionNVD

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint /api/file/snippet.php allows an authenticated user with only read_own access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the read_own enforcement for hover previews. Version 3.11.0 fixes the issue.

AnalysisAI

FileRise versions 2.3.7 through 3.10.0 suffer from improper access control in the file snippet endpoint, allowing authenticated users with read-only access to retrieve file content uploaded by other users in shared folders. An attacker with limited folder permissions can exploit this authorization bypass to view sensitive files beyond their intended access scope. …

RemediationAI

Within 30 days: Identify affected systems running versiosn 2.3.7 and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33477 vulnerability details – vuln.today

Back

PHP CVE-2026-33477

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code