Two critical-severity vulnerabilities in the ShareFile content collaboration platform can be chained to achieve unauthenticated remote code execution by abusing an Execution After Redirect flaw and an arbitrary file upload bug. Both issues (CVE-2026-2699 and CVE-2026-2701) were reported to ShareFile and fixed in version 5.12.4; ShareFile 6.x is not affected. #ShareFile #CVE-2026-2699
Keypoints
- Two critical vulnerabilities in ShareFile can be chained to enable unauthenticated RCE.
- CVE-2026-2699 is an Execution After Redirect issue that exposed admin Storage Zone configuration pages.
- An attacker could modify HTTP responses to access admin pages and reconfigure Storage Zones to attacker-controlled locations.
- CVE-2026-2701 is an arbitrary file upload flaw that allowed dropping a web shell and achieving RCE.
- Both flaws were reported in February and remediated in ShareFile version 5.12.4; versions 6.x are not affected.
Read More: https://www.securityweek.com/critical-sharefile-flaws-lead-to-unauthenticated-rce/