Fireshare, a self‑hosted media sharing platform, contains an unauthenticated path traversal vulnerability in the /api/uploadChunked/public endpoint. By manipulating the checkSum parameter, a remote actor can write arbitrary files with attacker‑controlled content to any writable location on the server. This arbitrary file write capability can be leveraged to drop web shells, modify configuration files, or deliver malware, thereby exposing the host to full remote code execution as well as compromising data integrity and confidentiality.

The issue is present in all releases of Fireshare prior to version 1.5.3 distributed by ShaneIsrael. Any deployment of Fireshare before the 1.5.3 release is affected and must be addressed. Updated releases 1.5.3 and later contain the necessary patch.

The CVSS score of 9.1 reflects the high impact of this flaw. The EPSS score of less than 1% indicates a currently low probability of exploitation, but the lack of authentication and the relative simplicity of exploitation mean that once discovered, attackers could disable defenses swiftly. The vulnerability is not listed in the CISA KEV catalog, but its severity warrants immediate attention. The attack vector is a remote, unauthenticated HTTP request to /api/uploadChunked/public with a crafted payload; no special privileges or credentials are required.