Cyber Posture

CVE-2026-44460

High
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 27 May 2026

Published
27 May 2026
Modified
28 May 2026
KEV Added
Patch
CVSS Score 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0003 9.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44460 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AU-14 Session Audit
addresses: CWE-200 CWE-287 CWE-306

Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.

PL-8 Security and Privacy Architectures
addresses: CWE-287 CWE-200 CWE-306

Security architectures must specify authentication requirements and approaches, making systemic authentication weaknesses harder to introduce.

RA-3 Risk Assessment
addresses: CWE-287 CWE-306 CWE-200

Assessment of authentication-related threats and vulnerabilities leads to remediation of missing or weak authentication controls.

SC-26 Decoys
addresses: CWE-200 CWE-287 CWE-306

Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.

AT-2 Literacy Training and Awareness
addresses: CWE-200 CWE-287

Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.

AU-6 Audit Record Review, Analysis, and Reporting
addresses: CWE-200 CWE-287

Audit record review and analysis can detect unauthorized exposure or access to sensitive information.

CA-2 Control Assessments
addresses: CWE-287 CWE-306

Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.

CA-8 Penetration Testing
addresses: CWE-287 CWE-200

Penetration testing probes authentication mechanisms for bypasses, allowing identification and fixing of improper authentication issues.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Vulnerability in public-facing web endpoint directly enables authentication bypass after password check by exposing TOTP secret.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totp_setup.php is callable from a session that has only passed the password check (state pending_login_user). When the target account already has TOTP configured,…

more

the endpoint decrypts and returns the user's existing TOTP secret inside the QR PNG instead of refusing or generating a new secret. An attacker who already possesses the victim's password can therefore retrieve the live TOTP secret, derive a valid one-time code, submit it to /api/totp_verify.php, and obtain a fully authenticated session without ever possessing the victim's authenticator device. This vulnerability is fixed in 3.12.0.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-200CWE-287CWE-306
OWASP Top 10 Web 2025
A01:2025A07:2025

EU & UK References

References