{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-54414", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "state": "PUBLISHED", "assignerShortName": "TuranSec", "dateReserved": "2026-06-13T16:39:46.122Z", "datePublished": "2026-06-19T05:41:44.782Z", "dateUpdated": "2026-06-19T05:41:44.782Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-06-19T05:41:44.782Z"}, "title": "FileRise shared-folder upload path traversal allows arbitrary file write and admin takeover", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "affected": [{"vendor": "error311", "product": "FileRise", "collectionURL": "https://github.com/error311/FileRise", "repo": "https://github.com/error311/FileRise", "programFiles": ["src/FileRise/Domain/UploadModel.php", "src/FileRise/Support/UploadNamePolicy.php", "src/FileRise/Http/Controllers/FolderController.php"], "versions": [{"status": "affected", "version": "0", "lessThan": "3.16.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), leading to arbitrary file write and administrator account takeover. The upload filename is validated by FolderController with basename() and REGEX_FILE_NAME, which permit URL-encoded sequences (the regex blocks / and \\ but not %). The raw filename is then passed to UploadModel::handleUpload, where it is reconstructed as trim(urldecode(basename($fileName))), re-introducing path separators after validation (e.g. ..%2fusers%2fusers.txt becomes ../users/users.txt). UploadNamePolicy::isAllowedForWrite() applies basename() internally and therefore only evaluates the final component (users.txt), allowing the traversal sequence to pass the extension policy. The destination path is then used directly in move_uploaded_file() with no realpath containment check, allowing a write outside the intended upload directory. An attacker who possesses a valid, non-expired, upload-enabled shared-folder link/token (which are designed to be shared publicly) can overwrite users/users.txt to create an administrator account, resulting in unauthenticated admin takeover and, depending on configuration, remote code execution. Exploitation requires possession of a valid, non-expired, upload-enabled shared-folder link/token. This issue is fixed in 3.16.0, which URL-decodes before validation and rejects any path separators in the upload filename.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (<code>/api/folder/uploadToSharedFolder.php</code>), leading to arbitrary file write and administrator account takeover. The upload filename is validated by <code>FolderController</code> with <code>basename()</code> and <code>REGEX_FILE_NAME</code>, which permit URL-encoded sequences (the regex blocks <code>/</code> and <code>\\</code> but not <code>%</code>). The raw filename is then passed to <code>UploadModel::handleUpload</code>, where it is reconstructed as <code>trim(urldecode(basename($fileName)))</code>, re-introducing path separators after validation (e.g. <code>..%2fusers%2fusers.txt</code> becomes <code>../users/users.txt</code>). <code>UploadNamePolicy::isAllowedForWrite()</code> applies <code>basename()</code> internally and therefore only evaluates the final component (<code>users.txt</code>), allowing the traversal sequence to pass the extension policy. The destination path is then used directly in <code>move_uploaded_file()</code> with no realpath containment check, allowing a write outside the intended upload directory. An attacker who possesses a valid, non-expired, upload-enabled shared-folder link/token (which are designed to be shared publicly) can overwrite <code>users/users.txt</code> to create an administrator account, resulting in unauthenticated admin takeover and, depending on configuration, remote code execution. Exploitation requires possession of a valid, non-expired, upload-enabled shared-folder link/token. This issue is fixed in 3.16.0, which URL-decodes before validation and rejects any path separators in the upload filename.</p>"}]}], "references": [{"url": "https://github.com/error311/FileRise/releases/tag/v3.16.0", "name": "Fixed release v3.16.0", "tags": ["patch"]}, {"url": "https://github.com/error311/FileRise/blob/v3.15.0/src/FileRise/Domain/UploadModel.php#L1023", "name": "Vulnerable decode-after-validate (UploadModel.php, v3.15.0)", "tags": ["technical-description"]}, {"url": "https://github.com/error311/FileRise", "tags": ["product"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Shaxzod Turg'unov (j33d1)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}}}}

{}

{}

{}

{"created": "2026-06-19T07:30:16.308993+00:00", "updated": "2026-06-19T07:30:16.309006+00:00", "vendors": []}