Fireshare
Monthly
Arbitrary file write in Fireshare <1.5.3 allows unauthenticated remote attackers to upload malicious files to any writable server path via path traversal in the /api/uploadChunked/public endpoint's checkSum parameter. This represents an incomplete fix for CVE-2026-33645, where remediation was applied only to the authenticated endpoint while leaving the public variant exploitable. SSVC confirms publicly available exploit code exists and the vulnerability is automatable with partial technical impact. CVSS 9.1 (Critical) reflects network-accessible, low-complexity exploitation requiring no authentication or user interaction, enabling both integrity and availability compromise.
Fireshare version 1.5.1 allows authenticated remote attackers to write arbitrary files outside the intended upload directory through unsanitized path traversal in the chunked upload endpoint's checkSum parameter. The vulnerability enables attackers with valid credentials to write files to any location accessible to the Fireshare process, potentially compromising system integrity or enabling secondary attacks. No public exploit identified at time of analysis, though the vulnerability has been fixed in version 1.5.2 released by the vendor.
FireShare FileShare 1.2.25 contains a time-based blind SQL injection vulnerability in the sort parameter of the endpoint: GET /api/videos/public?sort= This parameter is unsafely evaluated in a SQL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Arbitrary file write in Fireshare <1.5.3 allows unauthenticated remote attackers to upload malicious files to any writable server path via path traversal in the /api/uploadChunked/public endpoint's checkSum parameter. This represents an incomplete fix for CVE-2026-33645, where remediation was applied only to the authenticated endpoint while leaving the public variant exploitable. SSVC confirms publicly available exploit code exists and the vulnerability is automatable with partial technical impact. CVSS 9.1 (Critical) reflects network-accessible, low-complexity exploitation requiring no authentication or user interaction, enabling both integrity and availability compromise.
Fireshare version 1.5.1 allows authenticated remote attackers to write arbitrary files outside the intended upload directory through unsanitized path traversal in the chunked upload endpoint's checkSum parameter. The vulnerability enables attackers with valid credentials to write files to any location accessible to the Fireshare process, potentially compromising system integrity or enabling secondary attacks. No public exploit identified at time of analysis, though the vulnerability has been fixed in version 1.5.2 released by the vendor.
FireShare FileShare 1.2.25 contains a time-based blind SQL injection vulnerability in the sort parameter of the endpoint: GET /api/videos/public?sort= This parameter is unsafely evaluated in a SQL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.