CVE-2026-33329 is a path traversal vulnerability (CWE-22) combined with improper access control (CWE-73) in FileRise, a self-hosted web file manager and WebDAV server. The vulnerability exists in the Resumable.js chunked upload handler, specifically in the UploadModel::handleUpload() function. The resumableIdentifier parameter, which is used to identify upload chunks, is concatenated directly into filesystem paths without any sanitization or validation. This allows an authenticated user with upload permissions to manipulate the path and write files outside the intended directory structure. Additionally, the post-assembly cleanup process can be abused to delete arbitrary directories, and the attacker can probe for the existence of files or directories on the server. The vulnerability affects all FileRise versions from 1.0.1 up to but not including 3.10.0. Exploitation requires authentication but no further user interaction. The vulnerability has a CVSS 3.1 base score of 8.1, indicating high severity, with network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, no confidentiality impact, but high integrity and availability impacts. The issue was publicly disclosed on March 24, 2026, and patched in version 3.10.0. No known exploits have been reported in the wild to date.

The vulnerability allows an authenticated user with upload permissions to write arbitrary files anywhere on the server filesystem, potentially leading to unauthorized code execution if malicious files are uploaded to executable directories. The ability to delete arbitrary directories during cleanup can cause denial of service by removing critical files or directories, impacting availability. Probing for file and directory existence can aid attackers in reconnaissance, facilitating further attacks. Organizations using vulnerable versions of FileRise risk unauthorized modification and deletion of server files, which can compromise system integrity and availability. Since FileRise is often used to manage sensitive files and provide WebDAV services, exploitation could lead to data loss, service disruption, and potential lateral movement within networks. The requirement for authentication limits exposure but does not eliminate risk, especially in environments with many users or weak credential management. The lack of known exploits currently reduces immediate risk but patching is critical to prevent future attacks.

1. Upgrade FileRise installations to version 3.10.0 or later, where the vulnerability is patched. 2. If immediate upgrade is not possible, implement strict input validation and sanitization on the resumableIdentifier parameter to prevent path traversal sequences such as '../'. 3. Restrict upload permissions to trusted users only and enforce strong authentication mechanisms, including multi-factor authentication where possible. 4. Employ filesystem permissions and sandboxing to limit the directories where the FileRise service can write or delete files, minimizing potential damage from exploitation. 5. Monitor logs for unusual upload activity or file deletions that could indicate exploitation attempts. 6. Conduct regular security audits and penetration tests focusing on file upload functionalities. 7. Consider network segmentation to isolate FileRise servers from critical infrastructure to reduce impact in case of compromise.