{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33477", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.970Z", "datePublished": "2026-03-26T17:09:00.236Z", "dateUpdated": "2026-03-26T18:23:47.892Z"}, "containers": {"cna": {"title": "FileRise has incorrect authorization in /api/file/snippet.php allows read_own users to read other users\u2019 file content", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/error311/FileRise/security/advisories/GHSA-62wx-vp78-2p83", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/error311/FileRise/security/advisories/GHSA-62wx-vp78-2p83"}, {"name": "https://github.com/error311/FileRise/releases/tag/v3.11.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/error311/FileRise/releases/tag/v3.11.0"}], "affected": [{"vendor": "error311", "product": "FileRise", "versions": [{"version": ">= 2.3.7, < 3.11.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:09:00.236Z"}, "descriptions": [{"lang": "en", "value": "FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an authenticated user with only `read_own` access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the `read_own` enforcement for hover previews. Version 3.11.0 fixes the issue."}], "source": {"advisory": "GHSA-62wx-vp78-2p83", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/error311/FileRise/security/advisories/GHSA-62wx-vp78-2p83", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T17:46:36.577852Z", "id": "CVE-2026-33477", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:23:47.892Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33477", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:46:36.577852Z"}}}], "references": [{"url": "https://github.com/error311/FileRise/security/advisories/GHSA-62wx-vp78-2p83", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:46:56.313Z"}}], "cna": {"title": "FileRise has incorrect authorization in /api/file/snippet.php allows read_own users to read other users\u2019 file content", "source": {"advisory": "GHSA-62wx-vp78-2p83", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "error311", "product": "FileRise", "versions": [{"status": "affected", "version": ">= 2.3.7, < 3.11.0"}]}], "references": [{"url": "https://github.com/error311/FileRise/security/advisories/GHSA-62wx-vp78-2p83", "name": "https://github.com/error311/FileRise/security/advisories/GHSA-62wx-vp78-2p83", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/error311/FileRise/releases/tag/v3.11.0", "name": "https://github.com/error311/FileRise/releases/tag/v3.11.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an authenticated user with only `read_own` access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the `read_own` enforcement for hover previews. Version 3.11.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:09:00.236Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33477", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:23:47.892Z", "dateReserved": "2026-03-20T16:16:48.970Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T17:09:00.236Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:filerise:filerise:*:*:*:*:*:*:*:*", "matchCriteriaId": "51D0BB82-B0E1-4A29-9C51-EA8DAE58105A", "versionEndExcluding": "3.11.0", "versionStartIncluding": "2.3.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an authenticated user with only `read_own` access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the `read_own` enforcement for hover previews. Version 3.11.0 fixes the issue."}, {"lang": "es", "value": "FileRise es un gestor de archivos autohospedado basado en web con carga de m\u00faltiples archivos, edici\u00f3n y operaciones por lotes. En las versiones 2.3.7 a la 3.10.0, el endpoint de fragmentos de archivo `/api/file/snippet.php` permite a un usuario autenticado con solo acceso 'read_own' a una carpeta recuperar contenido de fragmentos de archivos subidos por otros usuarios en la misma carpeta. Esto es una falla de autorizaci\u00f3n del lado del servidor en la aplicaci\u00f3n de 'read_own' para las vistas previas al pasar el rat\u00f3n. La versi\u00f3n 3.11.0 corrige el problema."}], "id": "CVE-2026-33477", "lastModified": "2026-03-31T12:38:12.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T18:16:29.580", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/error311/FileRise/releases/tag/v3.11.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/error311/FileRise/security/advisories/GHSA-62wx-vp78-2p83"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/error311/FileRise/security/advisories/GHSA-62wx-vp78-2p83"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.3.7,3.11.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "FileRise", "source": "cna", "vendor": "error311"}, "product": "filerise", "vendor": "error311"}], "analysis": {"en": {"generated_at": "2026-03-31T13:22:24.676288+00:00", "value": {"mitigation_remediation": ["Apply the official FileRise update to version 3.11.0 or later."], "summary": {"action": "Apply Patch", "impact": "Unauthorized data disclosure"}, "threat_synthesis": {"affected_systems": "Affected versions of the FileRise file manager range from 2.3.7 through 3.10.0. The vulnerability is present in all builds within that span and is resolved in version 3.11.0. The product is distributed by error311.\n", "description_and_impact": "FileRise's snippet\u2013retrieval endpoint permits an authenticated user with only read\u2011own access to a folder to fetch content from files uploaded by other users in the same folder. This represents a server\u2011side authorization deficiency that allows an attacker to read confidential data belonging to other users, compromising data confidentiality and privacy.\n", "risk_and_exploitability": "The CVSS base score of 4.3 indicates moderate severity, and an EPSS score of less than 1% suggests low exploitation probability. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalogue. Exploitation requires an authenticated user with read\u2011own permissions on a shared folder and physical or network access to the FileRise instance. With these conditions, an attacker can exfiltrate sensitive file snippets from peer users.\n"}}}}, "created": "2026-03-27T08:33:34.813447+00:00", "updated": "2026-03-31T20:08:42.556872+00:00", "vendors": ["error311", "error311$PRODUCT$filerise"]}