CVE-2026-33477

Medium CVSS: 4.3

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an authenticated user with only `read_own` access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the `read_own` enforcement for hover previews. Version 3.11.0 fixes the issue.

Vendor

Filerise

Product

Filerise

CWE

CWE-863

Yayın Tarihi

2026-03-26 18:16:29

Güncelleme

2026-03-31 12:38:12

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-863 Filerise MEDIUM Filerise 2026

Referanslar

https://github.com/error311/FileRise/releases/tag/v3.11.0 https://github.com/error311/FileRise/security/advisories/GHSA-62wx-vp78-2p83 https://github.com/error311/FileRise/security/advisories/GHSA-62wx-vp78-2p83

Benzer Kayıtlar

High

CVE-2026-33329

FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableId…

High

CVE-2026-33330

FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.10.0, a broken access control issue in Fi…

Low

CVE-2026-33070

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, a missing-authentication vulnera…

Medium

CVE-2026-33071

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accep…

High

CVE-2026-33072

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption k…

Medium

CVE-2026-25230

FileRise is a self-hosted web file manager / WebDAV server. Prior to 3.3.0, an HTML Injection vulnerability allows an au…