CVE-2026-33070

Published: Mar 20, 2026 Last Modified: Mar 20, 2026

ExploitDB:

Other exploit source:

Google Dorks:

LOW 3,7

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: low

Availability: none

Description

AI Translation Available

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, a missing-authentication vulnerability in the deleteShareLink endpoint allows any unauthenticated user to delete arbitrary file share links by providing only the share token, causing denial of service to shared file access. The POST /api/file/deleteShareLink.php endpoint calls FileController::deleteShareLink() which performs no authentication, authorization, or CSRF validation before deleting a share link. Any anonymous HTTP client can destroy share links. This issue is fixed in version 3.8.0.

306

Missing Authentication for Critical Function

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Other

Potential Impacts:

Gain Privileges Or Assume Identity Varies By Context

Applicable Platforms

Technologies: Cloud Computing, ICS/OT

Likelihood of Exploit: High

View CWE Details

https://github.com/error311/FileRise/releases/tag/v3.8.0

https://github.com/error311/FileRise/security/advisories/GH…

https://github.com/error311/FileRise/security/advisories/GHSA-vh5m-w36c-99xv

CVE-2026-33070

Description

Missing Authentication for Critical Function

Common Consequences

Applicable Platforms

Iscriviti alla newsletter