CVE-2026-34745 is a path traversal vulnerability classified under CWE-22 affecting the fireshare self-hosted media and link sharing platform developed by ShaneIsrael. The vulnerability arises from improper validation of the pathname in the unauthenticated /api/uploadChunked/public endpoint. While a previous fix for CVE-2026-33645 addressed this issue on the authenticated upload endpoint, the same validation was not applied to the public endpoint, leaving it exposed. An attacker can manipulate the checkSum parameter to traverse directories and write arbitrary files anywhere writable on the server. This can lead to arbitrary file creation or overwriting, potentially allowing remote code execution, persistent backdoors, or denial of service by corrupting critical files. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely over the network. The flaw affects all fireshare versions prior to 1.5.3, and the vendor has released a patch in version 1.5.3 to properly sanitize and restrict file paths on the public upload endpoint. No public exploits are known yet, but the vulnerability’s nature and ease of exploitation make it a critical threat.

The impact of CVE-2026-34745 is severe for organizations using vulnerable versions of fireshare. An attacker can write arbitrary files to any writable location on the server, potentially leading to remote code execution, unauthorized persistence, data tampering, or denial of service. This compromises the integrity and availability of the affected system and can indirectly affect confidentiality if attackers gain further access through malicious payloads. Since the vulnerable endpoint is unauthenticated and accessible over the network, the attack surface is broad, increasing the likelihood of exploitation. Organizations relying on fireshare for media or link sharing may face service disruption, data loss, or full system compromise. The vulnerability also poses risks to supply chain security if fireshare instances are used internally or exposed to third parties. Given the critical CVSS score of 9.1, the threat demands immediate attention to prevent potential breaches.

To mitigate CVE-2026-34745, organizations should immediately upgrade fireshare to version 1.5.3 or later, where the vulnerability is patched. If upgrading is not immediately possible, implement network-level controls to restrict access to the /api/uploadChunked/public endpoint, such as IP whitelisting or firewall rules limiting exposure to trusted networks. Conduct thorough file system permission audits to ensure the fireshare process has minimal write permissions, restricting it from writing outside designated directories. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the checkSum parameter. Monitor logs for suspicious file write activities or unexpected uploads. Additionally, conduct regular integrity checks on critical files and maintain offline backups to recover from potential tampering. Finally, review and apply secure coding practices for path validation in custom or third-party applications to prevent similar issues.