Cyber Resilience

CVE-2026-44460

High

Published: 27 May 2026

Published
27 May 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0027 17.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44460 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totp_setup.php is callable from a session that has only passed the password check (state pending_login_user). When the target account already has TOTP configured,…

more

the endpoint decrypts and returns the user's existing TOTP secret inside the QR PNG instead of refusing or generating a new secret. An attacker who already possesses the victim's password can therefore retrieve the live TOTP secret, derive a valid one-time code, submit it to /api/totp_verify.php, and obtain a fully authenticated session without ever possessing the victim's authenticator device. This vulnerability is fixed in 3.12.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in public-facing web endpoint directly enables authentication bypass after password check by exposing TOTP secret.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-5000Shared CWE-287, CWE-306
CVE-2026-4959Shared CWE-287, CWE-306
CVE-2025-11529Shared CWE-287, CWE-306
CVE-2026-7042Shared CWE-287, CWE-306
CVE-2026-7723Shared CWE-287, CWE-306
CVE-2026-6577Shared CWE-287, CWE-306
CVE-2026-6582Shared CWE-287, CWE-306
CVE-2026-4562Shared CWE-287, CWE-306
CVE-2025-11942Shared CWE-287, CWE-306
CVE-2025-58443Shared CWE-287, CWE-306

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.

Security architectures must specify authentication requirements and approaches, making systemic authentication weaknesses harder to introduce.

Assessment of authentication-related threats and vulnerabilities leads to remediation of missing or weak authentication controls.

Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.

addresses: CWE-200 CWE-287

Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.

addresses: CWE-200 CWE-287

Audit record review and analysis can detect unauthorized exposure or access to sensitive information.

addresses: CWE-287 CWE-306

Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.

addresses: CWE-287 CWE-200

Penetration testing probes authentication mechanisms for bypasses, allowing identification and fixing of improper authentication issues.

References