Description
FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular upload path. In non-default deployments lacking Apache's LocationMatch protection, this leads to remote code execution. When files are uploaded via WebDAV, the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php accept the filename directly from the WebDAV client without any validation. In contrast, the regular upload endpoint in UploadModel::upload() validates filenames against REGEX_FILE_NAME. This issue is fixed in version 3.8.0.
Published: 2026-03-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw lies in the WebDAV upload endpoint of FileRise, which accepts filenames of any type without validating extensions. This bypasses the stricter checks used by the regular upload path, allowing attackers to upload server‑side executable files such as .phtml, .php5, or .htaccess. If such a file is executed by the web server, the attacker can run arbitrary code on the host, compromising confidentiality, integrity, or availability of the affected system. The weakness aligns with CWE-434 and CWE-552, reflecting unrestricted file upload and access control issues.

Affected Systems

All FileRise installations running a version older than 3.8.0 are affected. The vulnerability specifically impacts the self‑hosted web file manager and its WebDAV server component. No other products or versions are listed as impacted by this advisory.

Risk and Exploitability

The vulnerability carries a score of 4.3, indicating moderate severity, and an estimated exploit probability of less than 1%, suggesting that widespread exploitation is unlikely. It is not included in CISA’s Known Exploited Vulnerabilities catalog. The attack can be performed remotely through the WebDAV upload interface; an authenticated or unauthenticated client that can send uploads may trigger the flaw. In deployments lacking Apache LocationMatch protection, a malicious file can be executed immediately, giving an attacker full control over the host. The issue was addressed in FileRise 3.8.0.

Generated by OpenCVE AI on March 23, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FileRise to version 3.8.0 or later.
  • If an upgrade is not immediately possible, configure Apache’s LocationMatch or a similar URL filter to prevent execution of uploaded files with extensions such as .phtml, .php5, or .htaccess.
  • Consider disabling the WebDAV upload endpoint or restricting it to non‑executable file types.
  • Monitor upload logs for unusual file uploads and verify that no uploaded files are being executed.

Generated by OpenCVE AI on March 23, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Filerise
Filerise filerise
CPEs cpe:2.3:a:filerise:filerise:*:*:*:*:*:*:*:*
Vendors & Products Filerise
Filerise filerise

Fri, 20 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Error311
Error311 filerise
Vendors & Products Error311
Error311 filerise

Fri, 20 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular upload path. In non-default deployments lacking Apache's LocationMatch protection, this leads to remote code execution. When files are uploaded via WebDAV, the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php accept the filename directly from the WebDAV client without any validation. In contrast, the regular upload endpoint in UploadModel::upload() validates filenames against REGEX_FILE_NAME. This issue is fixed in version 3.8.0.
Title FileRise: WebDAV upload path bypasses filename validation enforced by regular uploads
Weaknesses CWE-434
CWE-552
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Error311 Filerise
Filerise Filerise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T21:21:06.590Z

Reserved: 2026-03-17T19:27:06.344Z

Link: CVE-2026-33071

cve-icon Vulnrichment

Updated: 2026-03-20T21:21:01.604Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T09:16:15.537

Modified: 2026-03-23T15:36:46.600

Link: CVE-2026-33071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:50Z

Weaknesses