CVE-2026-34745
Unauthenticated Path Traversal Arbitrary File Write in /api/uploadChunked/public
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th
Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint but was not applied to the unauthenticated /api/uploadChunked/public endpoint in the same file (app/server/fireshare/api.py). An unauthenticated attacker can exploit the checkSum parameter to write arbitrary files with attacker-controlled content to any writable path on the server filesystem. This issue has been patched in version 1.5.3.
| CWE | CWE-22 |
| Vendor | shaneisrael |
| Product | fireshare |
| Published | Apr 2, 2026 |
| Last Updated | Apr 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for shaneisrael fireshare
Be the first to know when new critical vulnerabilities affecting shaneisrael fireshare are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Affected Versions
ShaneIsrael / fireshare
< 1.5.3
References
github.com: https://github.com/ShaneIsrael/fireshare/security/advisories/GHSA-fvvp-rj8g-c7gc github.com: https://github.com/ShaneIsrael/fireshare/pull/520 github.com: https://github.com/ShaneIsrael/fireshare/commit/b76915607924756e6fa1a5f6c8823c38d611fb24 github.com: https://github.com/ShaneIsrael/fireshare/releases/tag/v1.5.3