Skip to main content

Rejetto HFS CVE-2026-61501

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 VulnCheck
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

No privileges needed to inject; scope changes because XSS fires in admin browser enabling server code execution, warranting I:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 13, 2026 - 19:44 vuln.today
Analysis Generated
Jul 13, 2026 - 19:44 vuln.today

DescriptionCVE.org

Rejetto HFS 3.0.0 through 3.2.0 renders log entries in the administration panel as HTML without sanitization. A remote unauthenticated attacker can submit a failed login with a crafted username that is written to the error log and executes JavaScript in an administrator's browser when the logs are viewed, allowing the attacker to create accounts or execute code on the server with the administrator's privileges.

AnalysisAI

Stored cross-site scripting in Rejetto HTTP File Server 3.0.0-3.2.0 allows an unauthenticated remote attacker to inject persistent JavaScript into the server error log via a crafted username in a failed login attempt. When an administrator views the log panel, the payload executes in their browser session, granting the attacker the ability to create accounts or execute server-side code with full administrative privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted failed login with JavaScript payload in username
Delivery
Username persisted unsanitized in HFS error log
Exploit
Admin opens log viewer in administration panel
Execution
Stored JavaScript executes in admin browser session
Impact
Create backdoor admin account or execute server-side code with admin privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires two sequential conditions: first, the attacker must reach the HFS login endpoint over the network and submit a failed authentication attempt using a crafted username containing a JavaScript payload - no credentials, prior account, or special configuration are needed for this injection step, as it exploits the standard unauthenticated login flow present in all default HFS 3.x installations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 reflects the passive user-interaction requirement (UI:P) - an administrator must view the log before the payload fires - which correctly prevents the score from reaching Critical. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a failed login to an internet-exposed HFS 3.x instance using a username containing a JavaScript payload - for example, a script that silently calls the HFS API to create a new administrator account using the active session. The entry is written to the error log without sanitization. …
Remediation Upgrade Rejetto HFS to version 3.2.1 immediately; this is the vendor-confirmed patched release addressing CVE-2026-61501 along with additional co-disclosed security issues, available at https://github.com/rejetto/hfs/releases/tag/v3.2.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61501 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy