CVE-2026-33071

CVE-2026-33071 affects FileRise, a self-hosted web file manager and WebDAV server, in versions prior to 3.8.0. The vulnerability stems from the WebDAV upload endpoint, implemented in the createFile() method of FileRiseDirectory.php and the put() method of FileRiseFile.php, which accepts filenames directly from WebDAV clients without validation. This bypasses the filename validation enforced by REGEX_FILE_NAME in the regular upload endpoint of UploadModel::upload(), allowing uploads of files with executable extensions such as .phtml, .php5, and .htaccess. Published on 2026-03-20 with a CVSS score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), it is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-552 (Files or Directories Accessible to External Parties).

An authenticated attacker with low privileges (PR:L) and network access can exploit this by uploading malicious files via the WebDAV endpoint. In non-default deployments lacking Apache's LocationMatch protection, this enables remote code execution by serving the uploaded executable files.

The issue is fixed in FileRise version 3.8.0, as detailed in the release notes at https://github.com/error311/FileRise/releases/tag/v3.8.0 and the security advisory at https://github.com/error311/FileRise/security/advisories/GHSA-46gv-gf5f-wvr2, which recommend upgrading to mitigate the vulnerability.