CVE-2026-34745
Published: 02 April 2026
Summary
CVE-2026-34745 is a critical-severity Path Traversal (CWE-22) vulnerability in Shaneisrael Fireshare. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates the checkSum parameter and other inputs to the unauthenticated /api/uploadChunked/public endpoint to block path traversal payloads enabling arbitrary file writes.
Requires timely patching of the incomplete fix in app/server/fireshare/api.py as provided in Fireshare version 1.5.3 to remediate the vulnerability.
Monitors for unauthorized changes to files on the server filesystem resulting from exploitation of the path traversal vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in unauthenticated public API endpoint enables remote arbitrary file writes on public-facing app (T1190); directly facilitates writing web shell files to executable paths for code execution (T1100).
NVD Description
Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint but was not applied to the unauthenticated /api/uploadChunked/public endpoint in the same file (app/server/fireshare/api.py). An unauthenticated attacker can…
more
exploit the checkSum parameter to write arbitrary files with attacker-controlled content to any writable path on the server filesystem. This issue has been patched in version 1.5.3.
Deeper analysisAI
CVE-2026-34745 is a path traversal vulnerability (CWE-22) in Fireshare, an open-source self-hosted media and link sharing application. The issue affects versions prior to 1.5.3 and stems from an incomplete fix for the related CVE-2026-33645. While the patch for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint, it was not extended to the unauthenticated /api/uploadChunked/public endpoint in the file app/server/fireshare/api.py. This allows exploitation of the checkSum parameter to write arbitrary files with attacker-controlled content to any writable path on the server filesystem. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
An unauthenticated attacker can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted requests to the /api/uploadChunked/public endpoint, the attacker can upload chunks of data that bypass path restrictions, enabling arbitrary file writes on the server. Successful exploitation grants high-impact integrity and availability disruption, such as overwriting critical configuration files, scripts, or binaries, potentially leading to full server compromise, though confidentiality is not directly affected.
The vulnerability has been addressed in Fireshare version 1.5.3, as detailed in the project's security advisory (GHSA-fvvp-rj8g-c7gc), release notes, associated pull request #520, and the patching commit b76915607924756e6fa1a5f6c8823c38d611fb24. Security practitioners should upgrade to version 1.5.3 or later and review server filesystem permissions to limit damage from any prior exposures.
Details
- CWE(s)