CVE-2026-33329 is a path traversal vulnerability categorized under CWE-22 and CWE-73 affecting FileRise versions 1.0.1 through 3.9.x. The issue arises because the resumableIdentifier parameter, used in the Resumable.js chunked upload handler (UploadModel::handleUpload()), is concatenated directly into filesystem paths without any sanitization or validation. This allows an authenticated user with upload permissions to manipulate the pathname to escape the intended upload directory and write files anywhere on the server's filesystem. Additionally, the vulnerability permits deletion of arbitrary directories during the post-assembly cleanup phase, which can be triggered after file uploads complete. Attackers can also probe for the existence of files or directories, potentially aiding further attacks or reconnaissance. The vulnerability does not require user interaction beyond having upload rights, but it does require authentication, limiting exposure to authorized users. The CVSS v3.1 score is 8.1 (high), reflecting network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, no confidentiality impact, but high integrity and availability impacts. The vulnerability was publicly disclosed on March 24, 2026, and fixed in FileRise version 3.10.0. No known exploits have been reported in the wild to date.

This vulnerability poses a significant risk to organizations using vulnerable versions of FileRise. An attacker with upload permissions can overwrite or create arbitrary files anywhere on the server, potentially leading to code execution, defacement, or persistence mechanisms. The ability to delete arbitrary directories can cause data loss and service disruption, impacting availability. Probing file existence can facilitate further attacks by revealing sensitive information about the server's filesystem structure. Since FileRise is often used to manage and share files in enterprise or hosting environments, exploitation could compromise critical data integrity and availability. The requirement for authentication limits the attack surface but insider threats or compromised credentials could enable exploitation. Organizations relying on FileRise for file management or WebDAV services face risks of unauthorized data manipulation, service outages, and potential lateral movement within their networks.

The primary mitigation is to upgrade FileRise to version 3.10.0 or later, where the vulnerability has been patched by properly sanitizing and validating the resumableIdentifier parameter before using it in filesystem paths. Until upgrading, organizations should restrict upload permissions strictly to trusted and verified users to minimize risk. Implement monitoring and alerting on unusual file system changes or deletions within the FileRise directories. Employ application-layer firewalls or Web Application Firewalls (WAFs) to detect and block suspicious path traversal patterns in upload requests. Conduct regular audits of user permissions and review logs for anomalous upload or deletion activities. Consider isolating the FileRise server in a segmented network zone with limited access to critical infrastructure to reduce potential impact. Finally, educate administrators and users about the risk and ensure credential hygiene to prevent unauthorized access.