CVE-2026-33329

HighPublic PoC

Published: 24 March 2026

Published

24 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0009 24.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33329 is a high-severity Path Traversal (CWE-22) vulnerability in Filerise Filerise. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data Destruction (T1485) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of the resumableIdentifier parameter to block path traversal sequences before concatenation into filesystem paths.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and patching of the path traversal flaw as addressed in FileRise version 3.10.0.

AC-3 Access Enforcement partial match

prevent

Enforces logical access controls to restrict authenticated users from writing files to or deleting arbitrary directories outside permitted upload paths.

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Path traversal enables arbitrary file write (facilitating web shell deployment in T1505.003) and directory deletion (directly achieving T1485 Data Destruction).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is concatenated directly into filesystem paths without any sanitization. An authenticated user with…

upload permission can exploit this to write files to arbitrary directories on the server, delete arbitrary directories via the post-assembly cleanup, and probe file/directory existence. This issue has been patched in version 3.10.0.

Deeper analysisAI

CVE-2026-33329 is a path traversal vulnerability (CWE-22, CWE-73) affecting FileRise, a self-hosted web file manager and WebDAV server. In versions 1.0.1 through 3.9.x, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::handleUpload()) is directly concatenated into filesystem paths without sanitization, enabling directory traversal attacks. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and was published on 2026-03-24.

An authenticated user with upload permissions can exploit this flaw remotely over the network with low complexity. By crafting the resumableIdentifier parameter with traversal sequences (e.g., ../), attackers can write uploaded file chunks to arbitrary server directories, assemble them into malicious files, delete arbitrary directories during post-assembly cleanup, and probe for the existence of files or directories.

The issue is addressed in FileRise version 3.10.0, where sanitization was added to the resumableIdentifier handling. Security practitioners should upgrade to this version immediately. Relevant resources include the patching commit at https://github.com/error311/FileRise/commit/3871f9fd1661688bed4f7dd23912be0ebf50973c, the release notes at https://github.com/error311/FileRise/releases/tag/v3.10.0, and the GitHub security advisory at https://github.com/error311/FileRise/security/advisories/GHSA-c2jm-4wp9-5vrh.

Details

CWE(s): CWE-22 CWE-73

Affected Products

filerise

1.0.1 — 3.10.0

CVEs Like This One

CVE-2026-33071Same product: Filerise Filerise

CVE-2026-25231Same product: Filerise Filerise

CVE-2026-33072Same product: Filerise Filerise

CVE-2026-33330Same product: Filerise Filerise

CVE-2026-27115Shared CWE-22, CWE-73

CVE-2025-58158Shared CWE-22, CWE-73

CVE-2026-30940Shared CWE-22, CWE-73

CVE-2026-32749Shared CWE-22, CWE-73

CVE-2025-66292Shared CWE-22, CWE-73

CVE-2026-31939Shared CWE-22, CWE-73

References

https://github.com/error311/FileRise/commit/3871f9fd1661688bed4f7dd23912be0ebf50973c
Patch · security-advisories@github.com
https://github.com/error311/FileRise/releases/tag/v3.10.0
Product, Release Notes · security-advisories@github.com
https://github.com/error311/FileRise/security/advisories/GHSA-c2jm-4wp9-5vrh
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com