CVE-2026-33645

HIGH 7.1

Fireshare has Path Traversal Arbitrary File Write in `/api/uploadChunked`

CVSS Score

7.1

EPSS Score

0.1%

EPSS Percentile

17th

Fireshare facilitates self-hosted media and link sharing. In version 1.5.1, an authenticated path traversal vulnerability in Fireshare’s chunked upload endpoint allows an attacker to write arbitrary files outside the intended upload directory. The `checkSum` multipart field is used directly in filesystem path construction without sanitization or containment checks. This enables unauthorized file writes to attacker-chosen paths writable by the Fireshare process (e.g., container `/tmp`), violating integrity and potentially enabling follow-on attacks depending on deployment. Version 1.5.2 fixes the issue.

CWE	CWE-22 CWE-73
Vendor	shaneisrael
Product	fireshare
Published	Mar 26, 2026
Last Updated	Mar 27, 2026

Stay Ahead of the Next One

Get instant alerts for shaneisrael fireshare

Be the first to know when new high vulnerabilities affecting shaneisrael fireshare are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Affected Versions

ShaneIsrael / fireshare

= 1.5.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ShaneIsrael/fireshare/security/advisories/GHSA-7q8r-vpq3-89m7 github.com: https://github.com/ShaneIsrael/fireshare/releases/tag/v1.5.2