Description
FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), leading to arbitrary file write and administrator account takeover. The upload filename is validated by FolderController with basename() and REGEX_FILE_NAME, which permit URL-encoded sequences (the regex blocks / and \ but not %). The raw filename is then passed to UploadModel::handleUpload, where it is reconstructed as trim(urldecode(basename($fileName))), re-introducing path separators after validation (e.g. ..%2fusers%2fusers.txt becomes ../users/users.txt). UploadNamePolicy::isAllowedForWrite() applies basename() internally and therefore only evaluates the final component (users.txt), allowing the traversal sequence to pass the extension policy. The destination path is then used directly in move_uploaded_file() with no realpath containment check, allowing a write outside the intended upload directory. An attacker who possesses a valid, non-expired, upload-enabled shared-folder link/token (which are designed to be shared publicly) can overwrite users/users.txt to create an administrator account, resulting in unauthenticated admin takeover and, depending on configuration, remote code execution. Exploitation requires possession of a valid, non-expired, upload-enabled shared-folder link/token. This issue is fixed in 3.16.0, which URL-decodes before validation and rejects any path separators in the upload filename.
Published: 2026-06-19
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FileRise before version 3.16.0 contains a path traversal flaw in the shared‑folder upload endpoint. The filename is validated with basename() and a regex that ignores percent‑encoding, allowing an attacker to craft a URL‑encoded file name that, after decoding, contains directory traversal characters. The upload routines then reconstruct the filename and copy it to the destination with move_uploaded_file() without a containment check, permitting writes outside the intended directory. By overwriting a file such as users/users.txt an attacker can create an administrator account, leading to unauthenticated admin takeover and, depending on the system configuration, remote code execution.

Affected Systems

The vulnerability exists in FileRise prior to version 3.16.0; the fix is delivered in release 3.16.0 and later. No specific sub‑versions are identified beyond that range, so any installation of 3.15 or earlier is affected.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity flaw. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires possession of a valid, non‑expired upload‑enabled shared‑folder link/token, which are intentionally shared publicly. With such a token an attacker can perform the path traversal and overwrite critical files, resulting in privilege escalation or potentially remote code execution. The attack surface is remote and relies on the web upload interface.

Generated by OpenCVE AI on June 19, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FileRise to version 3.16.0 or later, which applies the missing URL‑decode-before‑validation fix.
  • If an upgrade cannot be performed immediately, disable or revoke all active shared‑folder upload‑enabled links and tokens to prevent unauthorized file uploads.
  • Monitor the server’s file system for unexpected write operations and review user accounts for any unauthenticated administrator creation.

Generated by OpenCVE AI on June 19, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Error311
Error311 filerise
Vendors & Products Error311
Error311 filerise

Fri, 19 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), leading to arbitrary file write and administrator account takeover. The upload filename is validated by FolderController with basename() and REGEX_FILE_NAME, which permit URL-encoded sequences (the regex blocks / and \ but not %). The raw filename is then passed to UploadModel::handleUpload, where it is reconstructed as trim(urldecode(basename($fileName))), re-introducing path separators after validation (e.g. ..%2fusers%2fusers.txt becomes ../users/users.txt). UploadNamePolicy::isAllowedForWrite() applies basename() internally and therefore only evaluates the final component (users.txt), allowing the traversal sequence to pass the extension policy. The destination path is then used directly in move_uploaded_file() with no realpath containment check, allowing a write outside the intended upload directory. An attacker who possesses a valid, non-expired, upload-enabled shared-folder link/token (which are designed to be shared publicly) can overwrite users/users.txt to create an administrator account, resulting in unauthenticated admin takeover and, depending on configuration, remote code execution. Exploitation requires possession of a valid, non-expired, upload-enabled shared-folder link/token. This issue is fixed in 3.16.0, which URL-decodes before validation and rejects any path separators in the upload filename.
Title FileRise shared-folder upload path traversal allows arbitrary file write and admin takeover
Weaknesses CWE-22
CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Error311 Filerise
cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-19T05:41:44.782Z

Reserved: 2026-06-13T16:39:46.122Z

Link: CVE-2026-54414

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T08:00:09Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-434

    Unrestricted Upload of File with Dangerous Type