Cyber Resilience

CVE-2026-33329

HighPublic PoC

Published: 24 March 2026

Published
24 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0044 35.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33329 is a high-severity Path Traversal (CWE-22) vulnerability in Filerise Filerise. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33329 is a path traversal vulnerability (CWE-22, CWE-73) affecting FileRise, a self-hosted web file manager and WebDAV server. In versions 1.0.1 through 3.9.x, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is directly concatenated into filesystem paths without sanitization, enabling directory traversal attacks. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and was published on 2026-03-24.

An authenticated user with upload permissions can exploit this flaw remotely over the network with low complexity. By crafting the resumableIdentifier parameter with traversal sequences (e.g., ../), attackers can write uploaded file chunks to arbitrary server directories, assemble them into malicious files, delete arbitrary directories during post-assembly cleanup, and probe for the existence of files or directories.

The issue is addressed in FileRise version 3.10.0, where sanitization was added to the resumableIdentifier handling. Security practitioners should upgrade to this version immediately. Relevant resources include the patching commit at https://github.com/error311/FileRise/commit/3871f9fd1661688bed4f7dd23912be0ebf50973c, the release notes at https://github.com/error311/FileRise/releases/tag/v3.10.0, and the GitHub security advisory at https://github.com/error311/FileRise/security/advisories/GHSA-c2jm-4wp9-5vrh.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is concatenated directly into filesystem paths without any sanitization. An authenticated user with…

more

upload permission can exploit this to write files to arbitrary directories on the server, delete arbitrary directories via the post-assembly cleanup, and probe file/directory existence. This issue has been patched in version 3.10.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal enables arbitrary file write (facilitating web shell deployment in T1505.003) and directory deletion (directly achieving T1485 Data Destruction).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33071Same product: Filerise Filerise
CVE-2026-33072Same product: Filerise Filerise
CVE-2026-33330Same product: Filerise Filerise
CVE-2026-25231Same product: Filerise Filerise
CVE-2026-22249Shared CWE-22
CVE-2026-46402Shared CWE-22, CWE-73
CVE-2025-66292Shared CWE-22, CWE-73
CVE-2025-58158Shared CWE-22, CWE-73
CVE-2026-30940Shared CWE-22, CWE-73
CVE-2026-27115Shared CWE-22, CWE-73

Affected Assets

filerise
filerise
1.0.1 — 3.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of the resumableIdentifier parameter to block path traversal sequences before concatenation into filesystem paths.

prevent

Mandates timely identification, reporting, and patching of the path traversal flaw as addressed in FileRise version 3.10.0.

prevent

Enforces logical access controls to restrict authenticated users from writing files to or deleting arbitrary directories outside permitted upload paths.

References