EUVD-2026-14992
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3Tags
Description
FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is concatenated directly into filesystem paths without any sanitization. An authenticated user with upload permission can exploit this to write files to arbitrary directories on the server, delete arbitrary directories via the post-assembly cleanup, and probe file/directory existence. This issue has been patched in version 3.10.0.
Analysis
FileRise, a self-hosted web file manager and WebDAV server, contains a path traversal vulnerability in its Resumable.js chunked upload handler where the resumableIdentifier parameter is concatenated into filesystem paths without sanitization. Authenticated users with upload permissions can exploit this to write files to arbitrary directories, delete arbitrary directories, and probe filesystem structure. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Disable FileRise chunked upload and WebDAV features if not operationally critical; audit access logs for suspicious upload activity. Within 7 days: Implement network segmentation to restrict FileRise access to necessary users only; deploy WAF rules to block resumableIdentifier payloads containing path traversal patterns (../, ..\, encoded variants). …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today