Unrated severityNVD Advisory· Published Mar 26, 2026· Updated Mar 26, 2026

FileRise has incorrect authorization in /api/file/snippet.php allows read_own users to read other users’ file content

CVE-2026-33477

Description

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint /api/file/snippet.php allows an authenticated user with only read_own access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the read_own enforcement for hover previews. Version 3.11.0 fixes the issue.

Affected products

Error311/Filerisev5
Range: >= 2.3.7, < 3.11.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/error311/FileRise/releases/tag/v3.11.0mitrex_refsource_MISC
github.com/error311/FileRise/security/advisories/GHSA-62wx-vp78-2p83mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000