{“lastseen”:””,”description”:”Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled, to craft a malicious filename when uploading a video file. The malicious filename is then concatenated directly into a shell command, which can be used for uploading files to arbitrary directories via path traversal, or executing system commands for Remote Code Execution (RCE). This issue is fixed in version 1.3.0.”,”published”:”2025-12-12T07:10:55.980Z”,”modified”:”2025-12-12T07:10:55.980Z”,”type”:”cve”,”title”:”Fireshare Public Uploads feature is vulnerable to OS Command Injection (RCE)”,”source”:”GitHub_M”,”references”:”https:\/\/github.com\/ShaneIsrael\/fireshare\/security\/advisories\/GHSA-c4f5-g622-q72m\\nhttps:\/\/github.com\/ShaneIsrael\/fireshare\/commit\/157386c85f6683f89192dae52115069b435b6d34″,”id”:”CVE-2025-67728″,”bulletinFamily”:””,”cwe”:[“CWE-77″],”cvelist”:null,”sourceData”:”ShaneIsrael fireshare \\u003c 1.3.0″,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”fireshare”,”version”:”\\u003c 1.3.0″,”vendor”:”ShaneIsrael”,”ai_description”:”Fireshare is vulnerable to OS Command Injection (RCE) due to a malicious filename being concatenated into a shell command, allowing file uploads to arbitrary directories or execution of system commands.”,”ai_severity”:”Critical”,”ai_vendor”:”ShaneIsrael”,”ai_product”:”Fireshare”,”ai_version”:”1.2.30 and below”,”ai_score”:9.8}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[9,6,8,35,12,13,7,11,5],"class_list":["post-30718","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n