CVE-2026-33645: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in ShaneIsrael fireshare
CVE-2026-33645 is a path traversal vulnerability in ShaneIsrael fireshare version 1. 5. 1. It allows an authenticated attacker to write arbitrary files outside the intended upload directory via the chunked upload endpoint by exploiting improper sanitization of the 'checkSum' multipart field. This can lead to integrity violations and potentially enable further attacks depending on the deployment environment. The issue is fixed in version 1. 5. 2.
AI Analysis
Technical Summary
Fireshare version 1.5.1 contains an authenticated path traversal vulnerability (CWE-22) in its chunked upload endpoint. The vulnerability arises because the 'checkSum' multipart field is used directly in filesystem path construction without proper sanitization or containment checks. This allows an attacker with authentication to write files to arbitrary locations writable by the Fireshare process, such as container temporary directories. This improper limitation of pathname can compromise file integrity and may facilitate follow-on attacks depending on the deployment context. The vulnerability is addressed in version 1.5.2.
Potential Impact
An authenticated attacker can write arbitrary files outside the intended upload directory, violating file integrity. This may enable further exploitation depending on the deployment environment, such as overwriting critical files or placing malicious payloads in writable paths. The vulnerability does not directly impact confidentiality or availability but poses a high integrity risk.
Mitigation Recommendations
Upgrade to fireshare version 1.5.2 or later, where this path traversal vulnerability is fixed. Since this is an authenticated vulnerability, ensure that only trusted users have upload permissions until the upgrade is applied. Patch status is confirmed fixed in version 1.5.2.
CVE-2026-33645: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in ShaneIsrael fireshare
Description
CVE-2026-33645 is a path traversal vulnerability in ShaneIsrael fireshare version 1. 5. 1. It allows an authenticated attacker to write arbitrary files outside the intended upload directory via the chunked upload endpoint by exploiting improper sanitization of the 'checkSum' multipart field. This can lead to integrity violations and potentially enable further attacks depending on the deployment environment. The issue is fixed in version 1. 5. 2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Fireshare version 1.5.1 contains an authenticated path traversal vulnerability (CWE-22) in its chunked upload endpoint. The vulnerability arises because the 'checkSum' multipart field is used directly in filesystem path construction without proper sanitization or containment checks. This allows an attacker with authentication to write files to arbitrary locations writable by the Fireshare process, such as container temporary directories. This improper limitation of pathname can compromise file integrity and may facilitate follow-on attacks depending on the deployment context. The vulnerability is addressed in version 1.5.2.
Potential Impact
An authenticated attacker can write arbitrary files outside the intended upload directory, violating file integrity. This may enable further exploitation depending on the deployment environment, such as overwriting critical files or placing malicious payloads in writable paths. The vulnerability does not directly impact confidentiality or availability but poses a high integrity risk.
Mitigation Recommendations
Upgrade to fireshare version 1.5.2 or later, where this path traversal vulnerability is fixed. Since this is an authenticated vulnerability, ensure that only trusted users have upload permissions until the upgrade is applied. Patch status is confirmed fixed in version 1.5.2.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T15:23:42.217Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c5a1c53c064ed76fce0c46
Added to database: 3/26/2026, 9:14:45 PM
Last enriched: 4/3/2026, 1:31:26 PM
Last updated: 5/10/2026, 2:24:26 PM
Views: 79
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.