HIGH
error311
CVE published 2026-05-27
CVE-2026-44460
FileRise versions prior to 3.12.0 contain an authentication bypass vulnerability in the TOTP (Time-based One-Time Password) setup flow. The /api/totp_setup.php endpoint is accessible from sessions that have only completed password verification but have not yet passed TOTP verification (pending_login_user state). When invoked for an account with existing TOTP configuration, the endpoint decrypts and return [truncated]