CVE-2026-33070
Last modified
CVE-2026-33070 is a medium-severity vulnerability rated 4.8/10 on the CVSS scale. FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, a missing-authentication vulnerability in the deleteShareLink endpoint allows any unauthenticated user to delete arbitrary file share links by providing only the share token, causing denial of service to shared file access. EPSS estimates a 0.37% chance of exploitation in the next 30 days.
Description
FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, a missing-authentication vulnerability in the deleteShareLink endpoint allows any unauthenticated user to delete arbitrary file share links by providing only the share token, causing denial of service to shared file access. The POST /api/file/deleteShareLink.php endpoint calls FileController::deleteShareLink() which performs no authentication, authorization, or CSRF validation before deleting a share link. Any anonymous HTTP client can destroy share links. This issue is fixed in version 3.8.0.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Filerise | Filerise | < 3.8.0 |
References
- https://github.com/error311/FileRise/releases/tag/v3.8.0Product, Release Notes
- https://github.com/error311/FileRise/security/advisories/GHSA-vh5m-w36c-99xvExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-33070?
How severe is CVE-2026-33070?
How do I fix CVE-2026-33070?
Are you affected by CVE-2026-33070?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST