A path traversal flaw in the resumableIdentifier parameter of FileRise’s Resumable.js upload handler allows an authenticated user to craft upload requests that cause the server to write data to any filesystem location, delete arbitrary directories during post‑assembly cleanup, and probe for the existence of files or directories. The issue is a classic directory traversal (CWE‑22) and insecure file handling (CWE‑73) that can result in significant data loss or corruption and could potentially be leveraged to gain further destructive capabilities within the server environment.

FileRise, versions from 1.0.1 through any release prior to 3.10.0, are affected. Users deploying the self‑hosted web file manager without upgrading past the 3.10.0 release are at risk. The vulnerability exists in the default Resumable.js implementation in the UploadModel::handleUpload() component.

The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests current exploitation risk is low, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated account with upload permission; the attacker must submit a crafted multipart request to the upload endpoint. No elevated privileges are required beyond normal user rights but the impact is confined to the file system of the hosting host.