Unrated severityNVD Advisory· Published Mar 24, 2026· Updated Mar 24, 2026

FileRise ONLYOFFICE integration allows read-only users to overwrite files via forged save callback

CVE-2026-33330

Description

FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.10.0, a broken access control issue in FileRise's ONLYOFFICE integration allows an authenticated user with read-only access to obtain a signed save callbackUrl for a file and then directly forge the ONLYOFFICE save callback to overwrite that file with attacker-controlled content. This issue has been patched in version 3.10.0.

Affected products

Error311/Filerisev5
Range: < 3.10.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/error311/FileRise/commit/3871f9fd1661688bed4f7dd23912be0ebf50973cmitrex_refsource_MISC
github.com/error311/FileRise/releases/tag/v3.10.0mitrex_refsource_MISC
github.com/error311/FileRise/security/advisories/GHSA-6c3j-f4x4-36m3mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000