CVE-2026-33645
Published: 26 March 2026
Summary
CVE-2026-33645 is a high-severity Path Traversal (CWE-22) vulnerability in Shaneisrael Fireshare. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of the checkSum multipart field to sanitize inputs and prevent path traversal during chunked uploads.
Mandates timely flaw remediation by upgrading to Fireshare version 1.5.2, which fixes the unsanitized path construction vulnerability.
Enforces least privilege on the Fireshare process to limit writable paths and reduce the impact of arbitrary file writes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in chunked upload enables direct arbitrary file write to writable paths, facilitating tool/payload ingress (T1105) and stored data manipulation such as config overwrites (T1565.001).
NVD Description
Fireshare facilitates self-hosted media and link sharing. In version 1.5.1, an authenticated path traversal vulnerability in Fireshare’s chunked upload endpoint allows an attacker to write arbitrary files outside the intended upload directory. The `checkSum` multipart field is used directly in…
more
filesystem path construction without sanitization or containment checks. This enables unauthorized file writes to attacker-chosen paths writable by the Fireshare process (e.g., container `/tmp`), violating integrity and potentially enabling follow-on attacks depending on deployment. Version 1.5.2 fixes the issue.
Deeper analysisAI
CVE-2026-33645 is an authenticated path traversal vulnerability (CWE-22, CWE-73) affecting Fireshare version 1.5.1, a self-hosted media and link sharing application. The issue resides in the chunked upload endpoint, where the `checkSum` multipart field is used directly in filesystem path construction without sanitization or containment checks. This allows attackers to write arbitrary files outside the intended upload directory to paths writable by the Fireshare process, such as `/tmp` in containerized deployments. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L), indicating high integrity impact with low availability impact and no confidentiality impact.
An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating the `checkSum` field during a chunked upload, they can direct file writes to arbitrary locations accessible to the process, violating filesystem integrity and potentially enabling follow-on attacks based on the deployment environment, such as overwriting configuration files or staging payloads in shared directories.
GitHub security advisories (GHSA-7q8r-vpq3-89m7) and the release notes for Fireshare version 1.5.2 confirm that the issue is fixed in the updated version, recommending an immediate upgrade to mitigate the vulnerability.
Details
- CWE(s)