CVE-2026-54414
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk49th percentile — higher than 49% of all known CVEs
Summary
FileRise versions before 3.16.0 are vulnerable to path traversal in the shared-folder upload endpoint, leading to arbitrary file write and administrator account takeover. An attacker can exploit a valid upload-enabled shared-folder link/token to overwrite files and gain administrator access.
Risk Assessment
The organization is at serious risk of administrator account takeover and potential remote code execution, which could lead to data loss and security breaches.
Recommendation
It is recommended to upgrade to version 3.16.0 or later, which implements security fixes against this type of attack by properly URL-decoding before filename validation.
Original NVD description (English source)
FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), leading to arbitrary file write and administrator account takeover. The upload filename is validated by FolderController with basename() and REGEX_FILE_NAME, which permit URL-encoded sequences (the regex blocks / and \ but not %). The raw filename is then passed to UploadModel::handleUpload, where it is reconstructed as trim(urldecode(basename($fileName))), re-introducing path separators after validation (e.g. ..%2fusers%2fusers.txt becomes ../users/users.txt). UploadNamePolicy::isAllowedForWrite() applies basename() internally and therefore only evaluates the final component (users.txt), allowing the traversal sequence to pass the extension policy. The destination path is then used directly in move_uploaded_file() with no realpath containment check, allowing a write outside the intended upload directory. An attacker who possesses a valid, non-expired, upload-enabled shared-folder link/token (which are designed to be shared publicly) can overwrite users/users.txt to create an administrator account, resulting in unauthenticated admin takeover and, depending on configuration, remote code execution. Exploitation requires possession of a valid, non-expired, upload-enabled shared-folder link/token. This issue is fixed in 3.16.0, which URL-decodes before validation and rejects any path separators in the upload filename.

