CVE-2026-33330

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33330

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33330.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33330

Aliases

GHSA-6c3j-f4x4-36m3

Published

2026-03-24T19:15:03.367Z

Modified

2026-04-02T13:41:34.434411Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N CVSS Calculator

Summary

FileRise ONLYOFFICE integration allows read-only users to overwrite files via forged save callback

Details

FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.10.0, a broken access control issue in FileRise's ONLYOFFICE integration allows an authenticated user with read-only access to obtain a signed save callbackUrl for a file and then directly forge the ONLYOFFICE save callback to overwrite that file with attacker-controlled content. This issue has been patched in version 3.10.0.

Database specific

{
    "cwe_ids": [
        "CWE-863"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33330.json"
}

References

Affected packages

Git / github.com/error311/filerise

Affected ranges

Type

GIT

Repo

https://github.com/error311/filerise

Events

Introduced

Fixed

f948847285027d0532107e2588c41512c7329045

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.10.0"
        }
    ]
}

Affected versions

1.*

1.4.0

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.3.0

v1.3.1

v1.3.13

v1.3.15

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.6.0

v1.6.1

v1.6.10

v1.6.11

v1.6.2

v1.6.3

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v1.7.2

v1.7.3

v1.7.4

v1.7.5

v1.8.0

v1.8.1

v1.8.10

v1.8.11

v1.8.12

v1.8.13

v1.8.2

v1.8.3

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v1.8.8

v1.8.9

v1.9.0

v1.9.1

v1.9.10

v1.9.11

v1.9.12

v1.9.13

v1.9.14

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

v1.9.7

v1.9.8

v1.9.9

v2.*

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.1.0

v2.10.1

v2.10.4

v2.10.5

v2.11.0

v2.11.1

v2.11.2

v2.11.3

v2.11.4

v2.12.0

v2.12.1

v2.13.0

v2.13.1

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.3.0

v2.3.1

v2.3.2

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.4.0

v2.5.0

v2.5.1

v2.5.2

v2.6.1

v2.6.2

v2.7.0

v2.7.1

v2.8.0

v2.9.2

v2.9.3

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.1.6

v3.1.7

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.4.0

v3.4.1

v3.5.0

v3.5.1

v3.5.2

v3.6.0

v3.6.1

v3.7.0

v3.8.0

v3.9.0

v3.9.1

v3.9.2

v3.9.3

v3.9.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33330.json"