Unrated severityNVD Advisory· Published Dec 12, 2025· Updated Dec 12, 2025

Fireshare Public Uploads feature is vulnerable to OS Command Injection (RCE)

CVE-2025-67728

Description

Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled, to craft a malicious filename when uploading a video file. The malicious filename is then concatenated directly into a shell command, which can be used for uploading files to arbitrary directories via path traversal, or executing system commands for Remote Code Execution (RCE). This issue is fixed in version 1.3.0.

Affected products

Shaneisrael/Firesharev5
Range: < 1.3.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/ShaneIsrael/fireshare/commit/157386c85f6683f89192dae52115069b435b6d34mitrex_refsource_MISC
github.com/ShaneIsrael/fireshare/security/advisories/GHSA-c4f5-g622-q72mmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000