CVE-2026-33071
Published: 20 March 2026
Summary
CVE-2026-33071 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Filerise Filerise. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of filename validation in WebDAV createFile() and put() methods by requiring input validation mechanisms like regex to block dangerous extensions such as .phtml, .php5, and .htaccess.
Remediates the specific flaw in FileRise WebDAV upload endpoints by applying patches, as fixed in version 3.8.0.
Limits least functionality by disabling or restricting WebDAV upload capabilities or executable file handling, preventing exploitation of unrestricted uploads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables exploitation of public-facing web application via WebDAV unrestricted file upload (T1190), facilitating deployment of web shells through executable PHP files for remote code execution (T1505.003).
NVD Description
FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular…
more
upload path. In non-default deployments lacking Apache's LocationMatch protection, this leads to remote code execution. When files are uploaded via WebDAV, the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php accept the filename directly from the WebDAV client without any validation. In contrast, the regular upload endpoint in UploadModel::upload() validates filenames against REGEX_FILE_NAME. This issue is fixed in version 3.8.0.
Deeper analysisAI
CVE-2026-33071 affects FileRise, a self-hosted web file manager and WebDAV server, in versions prior to 3.8.0. The vulnerability stems from the WebDAV upload endpoint, implemented in the createFile() method of FileRiseDirectory.php and the put() method of FileRiseFile.php, which accepts filenames directly from WebDAV clients without validation. This bypasses the filename validation enforced by REGEX_FILE_NAME in the regular upload endpoint of UploadModel::upload(), allowing uploads of files with executable extensions such as .phtml, .php5, and .htaccess. Published on 2026-03-20 with a CVSS score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), it is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-552 (Files or Directories Accessible to External Parties).
An authenticated attacker with low privileges (PR:L) and network access can exploit this by uploading malicious files via the WebDAV endpoint. In non-default deployments lacking Apache's LocationMatch protection, this enables remote code execution by serving the uploaded executable files.
The issue is fixed in FileRise version 3.8.0, as detailed in the release notes at https://github.com/error311/FileRise/releases/tag/v3.8.0 and the security advisory at https://github.com/error311/FileRise/security/advisories/GHSA-46gv-gf5f-wvr2, which recommend upgrading to mitigate the vulnerability.
Details
- CWE(s)