{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33071", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.344Z", "datePublished": "2026-03-20T08:27:37.149Z", "dateUpdated": "2026-03-20T08:27:37.149Z"}, "containers": {"cna": {"title": "FileRise: WebDAV upload path bypasses filename validation enforced by regular uploads", "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-552", "lang": "en", "description": "CWE-552: Files or Directories Accessible to External Parties", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/error311/FileRise/security/advisories/GHSA-46gv-gf5f-wvr2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/error311/FileRise/security/advisories/GHSA-46gv-gf5f-wvr2"}, {"name": "https://github.com/error311/FileRise/releases/tag/v3.8.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/error311/FileRise/releases/tag/v3.8.0"}], "affected": [{"vendor": "error311", "product": "FileRise", "versions": [{"version": "< 3.8.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:27:37.149Z"}, "descriptions": [{"lang": "en", "value": "FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular upload path. In non-default deployments lacking Apache's LocationMatch protection, this leads to remote code execution. When files are uploaded via WebDAV, the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php accept the filename directly from the WebDAV client without any validation. In contrast, the regular upload endpoint in UploadModel::upload() validates filenames against REGEX_FILE_NAME. This issue is fixed in version 3.8.0."}], "source": {"advisory": "GHSA-46gv-gf5f-wvr2", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular upload path. In non-default deployments lacking Apache's LocationMatch protection, this leads to remote code execution. When files are uploaded via WebDAV, the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php accept the filename directly from the WebDAV client without any validation. In contrast, the regular upload endpoint in UploadModel::upload() validates filenames against REGEX_FILE_NAME. This issue is fixed in version 3.8.0."}], "id": "CVE-2026-33071", "lastModified": "2026-03-20T09:16:15.537", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T09:16:15.537", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/error311/FileRise/releases/tag/v3.8.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/error311/FileRise/security/advisories/GHSA-46gv-gf5f-wvr2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-552"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T09:20:59.084237+00:00", "value": {"mitigation_remediation": ["Update FileRise to version 3.8.0 or later", "If a patch cannot be applied, disable or restrict the WebDAV upload functionality in the configuration", "Ensure Apache\u2019s LocationMatch or equivalent directives are set to prevent execution of uploaded files"], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The weakness applies to all releases of FileRise prior to version 3.8.0. The vendor\u2019s advisory lists the affected product as error311:FileRise and states that the issue is resolved in release v3.8.0. No additional version specifics are provided beyond the \"before 3.8.0\" boundary.", "description_and_impact": "FileRise, a self-hosted web file manager and WebDAV server, allowed the WebDAV upload endpoint to accept files with any extension, including server\u2011side executable types such as .php, .phtml, and .htaccess. This bypassed the normal filename validation that the regular upload path enforces, exposing the system to the risk of executing malicious code uploaded by an attacker. The vulnerability correlates with CWE-434, indicating unrestricted upload of a file with dangerous type, and also touches on CWE-552 due to potential sensitive data exposure from improperly validated uploads.", "risk_and_exploitability": "The CVSS score is 4.3, indicating a low to medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. An attacker who can reach the WebDAV upload endpoint\u2014typically over the network or an exposed HTTP port\u2014could upload a file with a dangerous extension if the server lacks Apache\u2019s LocationMatch protection. Successful exploitation would allow the attacker to execute code on the host or gain further compromise. The attack requires network access to the WebDAV interface and the ability to authenticate if the endpoint is protected."}}}}, "created": "2026-03-20T10:36:32.921736+00:00", "updated": "2026-03-20T10:36:32.921765+00:00", "vendors": []}