Description
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an authenticated user with only `read_own` access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the `read_own` enforcement for hover previews. Version 3.11.0 fixes the issue.
Published: 2026-03-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data disclosure
Action: Apply Patch
AI Analysis

Impact

FileRise's snippet–retrieval endpoint permits an authenticated user with only read‑own access to a folder to fetch content from files uploaded by other users in the same folder. This represents a server‑side authorization deficiency that allows an attacker to read confidential data belonging to other users, compromising data confidentiality and privacy.

Affected Systems

Affected versions of the FileRise file manager range from 2.3.7 through 3.10.0. The vulnerability is present in all builds within that span and is resolved in version 3.11.0. The product is distributed by error311.

Risk and Exploitability

The CVSS base score of 4.3 indicates moderate severity, and an EPSS score of less than 1% suggests low exploitation probability. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalogue. Exploitation requires an authenticated user with read‑own permissions on a shared folder and physical or network access to the FileRise instance. With these conditions, an attacker can exfiltrate sensitive file snippets from peer users.

Generated by OpenCVE AI on March 31, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official FileRise update to version 3.11.0 or later.

Generated by OpenCVE AI on March 31, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Filerise
Filerise filerise
CPEs cpe:2.3:a:filerise:filerise:*:*:*:*:*:*:*:*
Vendors & Products Filerise
Filerise filerise

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Error311
Error311 filerise
Vendors & Products Error311
Error311 filerise

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an authenticated user with only `read_own` access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the `read_own` enforcement for hover previews. Version 3.11.0 fixes the issue.
Title FileRise has incorrect authorization in /api/file/snippet.php allows read_own users to read other users’ file content
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Error311 Filerise
Filerise Filerise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:23:47.892Z

Reserved: 2026-03-20T16:16:48.970Z

Link: CVE-2026-33477

cve-icon Vulnrichment

Updated: 2026-03-26T17:46:56.313Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T18:16:29.580

Modified: 2026-03-31T12:38:12.703

Link: CVE-2026-33477

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:08:42Z

Weaknesses