FileRise is a self-hosted web file manager and WebDAV server that prior to version 3.8.0 contained a vulnerability (CVE-2026-33071) related to unrestricted file uploads via its WebDAV interface. Specifically, the WebDAV upload endpoint accepts any file extension, including potentially dangerous server-side executable types such as .phtml, .php5, and .htaccess. This occurs because the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php accept filenames directly from the WebDAV client without performing validation. In contrast, the regular upload endpoint uses a regex-based filename validation (REGEX_FILE_NAME) to restrict uploads to safe file types. The lack of validation on the WebDAV path allows attackers to upload malicious scripts that can be executed by the server if the deployment does not have Apache's LocationMatch directive configured to block execution in the upload directory. This can lead to remote code execution (RCE), allowing attackers to execute arbitrary code on the server. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-552 (Files or Directories Accessible to External Parties). The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low attack complexity, and requires privileges (PR:L) but no user interaction. The vulnerability affects all FileRise versions prior to 3.8.0 and was publicly disclosed on March 20, 2026. No known exploits have been reported in the wild to date. The issue is resolved in version 3.8.0 by implementing proper filename validation on the WebDAV upload endpoint.

The primary impact of this vulnerability is the potential for remote code execution on servers running vulnerable versions of FileRise without proper Apache LocationMatch protections. Successful exploitation would allow attackers to upload malicious server-side scripts that can be executed, compromising the confidentiality, integrity, and availability of the affected system. This could lead to unauthorized access, data theft, defacement, or further network pivoting. Organizations using FileRise as a web file manager or WebDAV server, especially those exposing it to the internet, face increased risk of compromise. Since the vulnerability requires low attack complexity and network access with some privileges, insider threats or attackers who have gained limited access could escalate their control. The lack of user interaction needed increases the risk of automated exploitation once an attacker gains access. However, the medium CVSS score reflects that exploitation requires some privileges and specific server configurations lacking Apache protections. The vulnerability could disrupt business operations, lead to data breaches, and damage organizational reputation if exploited.

Organizations should immediately upgrade FileRise to version 3.8.0 or later, where the vulnerability is fixed by enforcing filename validation on the WebDAV upload endpoint. Until upgrading, administrators should implement strict Apache LocationMatch directives or equivalent web server configurations to prevent execution of uploaded files in the WebDAV directories. Restrict WebDAV access to trusted users and networks only, employing strong authentication and network segmentation. Monitor WebDAV upload directories for suspicious files, especially those with executable extensions like .php, .phtml, or .htaccess. Employ file integrity monitoring and intrusion detection systems to detect unauthorized uploads or execution attempts. Regularly audit server configurations to ensure that upload directories are not executable. Consider disabling WebDAV if not required or replacing it with more secure file transfer mechanisms. Finally, maintain up-to-date backups and incident response plans to recover quickly if exploitation occurs.