CVE-2026-33645

High CVSS: 7.1

Fireshare facilitates self-hosted media and link sharing. In version 1.5.1, an authenticated path traversal vulnerability in Fireshare’s chunked upload endpoint allows an attacker to write arbitrary files outside the intended upload directory. The `checkSum` multipart field is used directly in filesystem path construction without sanitization or containment checks. This enables unauthorized file writes to attacker-chosen paths writable by the Fireshare process (e.g., container `/tmp`), violating integrity and potentially enabling follow-on attacks depending on deployment. Version 1.5.2 fixes the issue.

Vendor

Shaneisrael

Product

Fireshare

CWE

CWE-22

Yayın Tarihi

2026-03-26 21:17:07

Güncelleme

2026-03-30 18:12:01

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Fireshare HIGH Shaneisrael 2026

Referanslar

https://github.com/ShaneIsrael/fireshare/releases/tag/v1.5.2 https://github.com/ShaneIsrael/fireshare/security/advisories/GHSA-7q8r-vpq3-89m7 https://github.com/ShaneIsrael/fireshare/security/advisories/GHSA-7q8r-vpq3-89m7

Benzer Kayıtlar

Critical

CVE-2026-34745

Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-2026-33645 was applied…

Critical

CVE-2025-67728

Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unau…

Medium

CVE-2025-55476

FireShare FileShare 1.2.25 contains a time-based blind SQL injection vulnerability in the sort parameter of the endpoint…