CVE-2026-33477

Summary

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint /api/file/snippet.php allows an authenticated user with only read_own access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the read_own enforcement for hover previews. Version 3.11.0 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
error311FileRise>= 2.3.7, < 3.11.0affected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References