What is the CVSS score of CVE-2026-33645?

CVE-2026-33645 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of Fireshare are affected by CVE-2026-33645?

Fireshare 1.5.1 contains a path traversal vulnerability that allows authenticated users to write files anywhere on the server, potentially enabling data exfiltration, malware deployment, or system…

How to fix or mitigate CVE-2026-33645?

Within 24 hours: Audit current Fireshare deployment to confirm version and identify any suspicious file writes in non-standard directories. Within 7 days: Upgrade to Fireshare 1.5.2 or later. Within 30 days: Conduct forensic review of file system logs and Fireshare access logs from the deployment period to identify potential exploitation.

Fireshare CVE-2026-33645

EUVD-2026-16416 HIGH

Path Traversal (CWE-22)

2026-03-26 GitHub_M

Path Traversal Fireshare

7.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 26, 2026 - 21:16 euvd

EUVD-2026-16416

Analysis Generated

Mar 26, 2026 - 21:16 vuln.today

CVE Published

Mar 26, 2026 - 20:58 nvd

HIGH 7.1

DescriptionGitHub Advisory

Fireshare facilitates self-hosted media and link sharing. In version 1.5.1, an authenticated path traversal vulnerability in Fireshare’s chunked upload endpoint allows an attacker to write arbitrary files outside the intended upload directory. The checkSum multipart field is used directly in filesystem path construction without sanitization or containment checks. This enables unauthorized file writes to attacker-chosen paths writable by the Fireshare process (e.g., container /tmp), violating integrity and potentially enabling follow-on attacks depending on deployment. Version 1.5.2 fixes the issue.

AnalysisAI

Fireshare version 1.5.1 allows authenticated remote attackers to write arbitrary files outside the intended upload directory through unsanitized path traversal in the chunked upload endpoint's checkSum parameter. The vulnerability enables attackers with valid credentials to write files to any location accessible to the Fireshare process, potentially compromising system integrity or enabling secondary attacks. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Fireshare application

Delivery

Send crafted chunked upload request

Exploit

Inject path traversal payload in checkSum field

Execution

Write arbitrary file outside upload directory

Impact

Compromise system integrity or enable code execution