Shaneisrael Fireshare vulnerabilities
4 known vulnerabilities affecting shaneisrael/fireshare.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH1MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2025-67728P2CRITICALCVSS 9.8fixed in 1.3.02025-12-12
CVE-2025-67728 [CRITICAL] CWE-77 CVE-2025-67728: Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authent
Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled, to craft a malicious filename when uploading a video file. The malicious filename is then concatenated directly into a shell command, which can be used for uploading files
nvd
CVE-2026-34745P2CRITICALCVSS 9.1fixed in 1.5.32026-04-02
CVE-2026-34745 [CRITICAL] CVE-2026-34745: Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-20
Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint but was not applied to the unauthenticated /api/uploadChunked/public endpoint in the same file (app/server/fireshare/api.py). An unauthenticated attacker can exploit the checkSum paramete
nvd
CVE-2026-33645P3HIGHCVSS 8.1v1.5.1fixed in 1.5.32026-03-26
CVE-2026-33645 [HIGH] CWE-22 CVE-2026-33645: Fireshare facilitates self-hosted media and link sharing. In version 1.5.1, an authenticated path tr
Fireshare facilitates self-hosted media and link sharing. In version 1.5.1, an authenticated path traversal vulnerability in Fireshare’s chunked upload endpoint allows an attacker to write arbitrary files outside the intended upload directory. The `checkSum` multipart field is used directly in filesystem path construction without sanitization or contai
nvd
CVE-2025-55476P3MEDIUMCVSS 6.5v1.2.252025-09-02
CVE-2025-55476 [MEDIUM] CWE-89 CVE-2025-55476: FireShare FileShare 1.2.25 contains a time-based blind SQL injection vulnerability in the sort param
FireShare FileShare 1.2.25 contains a time-based blind SQL injection vulnerability in the sort parameter of the endpoint: GET /api/videos/public?sort= This parameter is unsafely evaluated in a SQL ORDER BY clause without proper sanitization, allowing an attacker to inject arbitrary SQL subqueries.
nvd