CVE-2026-33645 — HIGH (7.1)

Vulnerability Description

Fireshare facilitates self-hosted media and link sharing. In version 1.5.1, an authenticated path traversal vulnerability in Fireshare’s chunked upload endpoint allows an attacker to write arbitrary files outside the intended upload directory. The `checkSum` multipart field is used directly in filesystem path construction without sanitization or containment checks. This enables unauthorized file writes to attacker-chosen paths writable by the Fireshare process (e.g., container `/tmp`), violating integrity and potentially enabling follow-on attacks depending on deployment. Version 1.5.2 fixes the issue.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Shaneisrael	Fireshare	1.5.1

Related Weaknesses (CWE)

CWE-22 CWE-73

References

https://github.com/ShaneIsrael/fireshare/releases/tag/v1.5.2Release Notes
https://github.com/ShaneIsrael/fireshare/security/advisories/GHSA-7q8r-vpq3-89m7Vendor Advisory
https://github.com/ShaneIsrael/fireshare/security/advisories/GHSA-7q8r-vpq3-89m7Vendor Advisory

FAQ

What is CVE-2026-33645?

CVE-2026-33645 is a vulnerability with a CVSS score of 7.1 (HIGH). Fireshare facilitates self-hosted media and link sharing. In version 1.5.1, an authenticated path traversal vulnerability in Fireshare’s chunked upload endpoint allows an attacker to write arbitrary f...

How severe is CVE-2026-33645?

CVE-2026-33645 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-33645?

Check the references section above for vendor advisories and patch information. Affected products include: Shaneisrael Fireshare.