CVE-2026-54414

Source
https://cve.org/CVERecord?id=CVE-2026-54414
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54414.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54414
Published
2026-06-19T05:41:44.782Z
Modified
2026-07-08T08:13:45.827380252Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
FileRise shared-folder upload path traversal allows arbitrary file write and admin takeover
Details

FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), leading to arbitrary file write and administrator account takeover. The upload filename is validated by FolderController with basename() and REGEXFILENAME, which permit URL-encoded sequences (the regex blocks / and \ but not %). The raw filename is then passed to UploadModel::handleUpload, where it is reconstructed as trim(urldecode(basename($fileName))), re-introducing path separators after validation (e.g. ..%2fusers%2fusers.txt becomes ../users/users.txt). UploadNamePolicy::isAllowedForWrite() applies basename() internally and therefore only evaluates the final component (users.txt), allowing the traversal sequence to pass the extension policy. The destination path is then used directly in moveuploadedfile() with no realpath containment check, allowing a write outside the intended upload directory. An attacker who possesses a valid, non-expired, upload-enabled shared-folder link/token (which are designed to be shared publicly) can overwrite users/users.txt to create an administrator account, resulting in unauthenticated admin takeover and, depending on configuration, remote code execution. Exploitation requires possession of a valid, non-expired, upload-enabled shared-folder link/token. This issue is fixed in 3.16.0, which URL-decodes before validation and rejects any path separators in the upload filename.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54414.json",
    "cna_assigner": "TuranSec",
    "cwe_ids": [
        "CWE-22",
        "CWE-434"
    ]
}
References

Affected packages

Git / github.com/error311/filerise

Affected ranges

Type
GIT
Repo
https://github.com/error311/filerise
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.16.0"
        }
    ]
}

Affected versions

1.*
1.4.0
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.3.0
v1.3.1
v1.3.13
v1.3.15
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.1
v1.6.10
v1.6.11
v1.6.2
v1.6.3
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.8.0
v1.8.1
v1.8.10
v1.8.11
v1.8.12
v1.8.13
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9
v1.9.0
v1.9.1
v1.9.10
v1.9.11
v1.9.12
v1.9.13
v1.9.14
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v1.9.7
v1.9.8
v1.9.9
v2.*
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.1.0
v2.10.1
v2.10.4
v2.10.5
v2.11.0
v2.11.1
v2.11.2
v2.11.3
v2.11.4
v2.12.0
v2.12.1
v2.13.0
v2.13.1
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.3.0
v2.3.1
v2.3.2
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.4.0
v2.5.0
v2.5.1
v2.5.2
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.8.0
v2.9.2
v2.9.3
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.6
v3.1.7
v3.10.0
v3.11.0
v3.11.1
v3.11.2
v3.12.0
v3.13.0
v3.14.0
v3.15.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.4.0
v3.4.1
v3.5.0
v3.5.1
v3.5.2
v3.6.0
v3.6.1
v3.7.0
v3.8.0
v3.9.0
v3.9.1
v3.9.2
v3.9.3
v3.9.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54414.json"