Cyber Resilience

CVE-2026-34745

CriticalPublic PoC

Published: 02 April 2026

Published
02 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0062 45.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34745 is a critical-severity Path Traversal (CWE-22) vulnerability in Shaneisrael Fireshare. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34745 is a path traversal vulnerability (CWE-22) in Fireshare, an open-source self-hosted media and link sharing application. The issue affects versions prior to 1.5.3 and stems from an incomplete fix for the related CVE-2026-33645. While the patch for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint, it was not extended to the unauthenticated /api/uploadChunked/public endpoint in the file app/server/fireshare/api.py. This allows exploitation of the checkSum parameter to write arbitrary files with attacker-controlled content to any writable path on the server filesystem. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

An unauthenticated attacker can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted requests to the /api/uploadChunked/public endpoint, the attacker can upload chunks of data that bypass path restrictions, enabling arbitrary file writes on the server. Successful exploitation grants high-impact integrity and availability disruption, such as overwriting critical configuration files, scripts, or binaries, potentially leading to full server compromise, though confidentiality is not directly affected.

The vulnerability has been addressed in Fireshare version 1.5.3, as detailed in the project's security advisory (GHSA-fvvp-rj8g-c7gc), release notes, associated pull request #520, and the patching commit b76915607924756e6fa1a5f6c8823c38d611fb24. Security practitioners should upgrade to version 1.5.3 or later and review server filesystem permissions to limit damage from any prior exposures.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint but was not applied to the unauthenticated /api/uploadChunked/public endpoint in the same file (app/server/fireshare/api.py). An unauthenticated attacker can…

more

exploit the checkSum parameter to write arbitrary files with attacker-controlled content to any writable path on the server filesystem. This issue has been patched in version 1.5.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal in unauthenticated public API endpoint enables remote arbitrary file writes on public-facing app (T1190); directly facilitates writing web shell files to executable paths for code execution (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33645Same product: Shaneisrael Fireshare
CVE-2025-67728Same product: Shaneisrael Fireshare
CVE-2025-24406Shared CWE-22
CVE-2026-24848Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2026-36760Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-7519Shared CWE-22
CVE-2019-25480Shared CWE-22

Affected Assets

shaneisrael
fireshare
≤ 1.5.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates the checkSum parameter and other inputs to the unauthenticated /api/uploadChunked/public endpoint to block path traversal payloads enabling arbitrary file writes.

prevent

Requires timely patching of the incomplete fix in app/server/fireshare/api.py as provided in Fireshare version 1.5.3 to remediate the vulnerability.

detect

Monitors for unauthorized changes to files on the server filesystem resulting from exploitation of the path traversal vulnerability.

References