fireshare

v1.6.14 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1h Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

clips gaming jellyfin link-sharing media plex

+3 more

self-hosted transcode-video video-streaming

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 56m

The release patches a critical command injection flaw on the public upload endpoint and hardens validation of folder names to block malicious inputs.

Why it matters: Severity score 95 for the command‑injection fix; tighter folder‑name validation blocks spaces, slashes, and traversal attempts. Operators must upgrade immediately to prevent remote code execution.

Summary

AI summary

Fixed a command injection vulnerability on the public upload endpoint.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes command injection vulnerability on public upload endpoint Fixes command injection vulnerability on public upload endpoint Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix
Bugfix	Medium	Tightens folder name validation across all upload endpoints, rejecting spaces, slashes, or traversal sequences and replacing spaces with hyphens Tightens folder name validation across all upload endpoints, rejecting spaces, slashes, or traversal sequences and replacing spaces with hyphens Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix	Medium	Preserves original creation date for image uploads by reading EXIF DateTimeOriginal with fallbacks Preserves original creation date for image uploads by reading EXIF DateTimeOriginal with fallbacks Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix	Medium	Prevents crash in create_posters when a video lacks duration metadata Prevents crash in create_posters when a video lacks duration metadata Source: llm_adapter@2026-06-04 Confidence: high	—

Full changelog

Highly recommended to upgrade to this release. A command injection vulnerability was discovered on the public upload endpoint and has been fixed in this release.

Bug Fixes

Tightened folder name validation across all upload endpoints to reject names containing spaces, slashes, or parent directory traversal sequences. White spaces are replaced with hyphens for cleaner filename sanitization.
Fixed image uploads losing their original creation date. EXIF DateTimeOriginal is now read first, with fallback to filename date patterns then file modification time
Fixed a crash in create_posters when a video has no duration metadata

Security Fixes

CVE-2023-XXXXX — command injection vulnerability fixed on public upload endpoint

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track fireshare

Get notified when new releases ship.

About fireshare

Self host your media and share with unique links

All releases →