CVE-2026-54414 is a critical path traversal vulnerability in FileRise before version 3.16.0. The shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php) improperly validates upload filenames by applying basename() and a regex that blocks '/' and '\' but not URL-encoded equivalents like '%2f'. The raw filename is then urldecoded and reconstructed, reintroducing path separators that bypass validation. The UploadNamePolicy only checks the final filename component, allowing traversal sequences to pass extension policies. The vulnerable code uses move_uploaded_file() without realpath containment checks, enabling arbitrary file writes outside the intended directory. An attacker with a valid, non-expired, upload-enabled shared-folder link/token can overwrite files such as users/users.txt to create an administrator account, leading to unauthenticated admin takeover and possible remote code execution depending on configuration. The vulnerability is fixed in version 3.16.0 by decoding the filename before validation and rejecting any path separators.

An attacker who obtains a valid, non-expired, upload-enabled shared-folder link/token can exploit this vulnerability to write arbitrary files outside the designated upload directory. This can result in unauthorized administrator account creation, leading to full administrative control of the FileRise instance without authentication. Depending on the system configuration, this may also enable remote code execution. The vulnerability thus compromises confidentiality, integrity, and availability of the affected system.

A fix is available in FileRise version 3.16.0, which properly URL-decodes filenames before validation and rejects any path separators in upload filenames. Users should upgrade to version 3.16.0 or later to remediate this vulnerability. Until upgraded, restrict access to valid, non-expired, upload-enabled shared-folder links/tokens to trusted users only. Patch status is confirmed fixed in 3.16.0.