What is the CVSS score of CVE-2026-28674?

CVE-2026-28674 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

How to fix or mitigate CVE-2026-28674?

Within 24 hours: Identify all deployed xiaoheiFS instances and verify current versions (0.3.15 or earlier are affected). Within 7 days: Upgrade all instances to version 0.3.16 or later (vendor-released patch). Simultaneously, reset administrative credentials to strong, unique passwords and disable the AdminPaymentPluginUpload endpoint if not actively required. Within 30 days: Conduct access logs review for suspicious file uploads to the AdminPaymentPluginUpload endpoint and verify no unauthorized code execution occurred; implement network segmentation to restrict xiaoheiFS administrative access to trusted networks only.

CVE-2026-28674

EUVD-2026-12702 HIGH

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-03-18 GitHub_M

File Upload

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:21 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

0.4.0

EUVD ID Assigned

Mar 18, 2026 - 01:00 euvd

EUVD-2026-12702

Analysis Generated

Mar 18, 2026 - 01:00 vuln.today

CVE Published

Mar 18, 2026 - 00:48 nvd

HIGH 7.2

DescriptionNVD

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the AdminPaymentPluginUpload endpoint lets admins upload any file to plugins/payment/. It only checks a hardcoded password (qweasd123456) and ignores file content. A background watcher (StartWatcher) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.

AnalysisAI

xiaoheiFS, a self-hosted financial and operational system for cloud service businesses, contains a critical authenticated remote code execution vulnerability in versions up to 0.3.15. An attacker who knows the hardcoded password 'qweasd123456' can upload arbitrary executable files through the AdminPaymentPluginUpload endpoint, which are then automatically executed by a background watcher service every 5 seconds. …

RemediationAI

Within 24 hours: Identify all deployed xiaoheiFS instances and verify current versions (0.3.15 or earlier are affected). Within 7 days: Upgrade all instances to version 0.3.16 or later (vendor-released patch). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-28674 vulnerability details – vuln.today

Back

CVE-2026-28674

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code