Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
No privileges needed to inject; scope changes because XSS fires in admin browser enabling server code execution, warranting I:H.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Rejetto HFS 3.0.0 through 3.2.0 renders log entries in the administration panel as HTML without sanitization. A remote unauthenticated attacker can submit a failed login with a crafted username that is written to the error log and executes JavaScript in an administrator's browser when the logs are viewed, allowing the attacker to create accounts or execute code on the server with the administrator's privileges.
AnalysisAI
Stored cross-site scripting in Rejetto HTTP File Server 3.0.0-3.2.0 allows an unauthenticated remote attacker to inject persistent JavaScript into the server error log via a crafted username in a failed login attempt. When an administrator views the log panel, the payload executes in their browser session, granting the attacker the ability to create accounts or execute server-side code with full administrative privileges. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two sequential conditions: first, the attacker must reach the HFS login endpoint over the network and submit a failed authentication attempt using a crafted username containing a JavaScript payload - no credentials, prior account, or special configuration are needed for this injection step, as it exploits the standard unauthenticated login flow present in all default HFS 3.x installations. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.3 reflects the passive user-interaction requirement (UI:P) - an administrator must view the log before the payload fires - which correctly prevents the score from reaching Critical. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a failed login to an internet-exposed HFS 3.x instance using a username containing a JavaScript payload - for example, a script that silently calls the HFS API to create a new administrator account using the active session. The entry is written to the error log without sanitization. … |
| Remediation | Upgrade Rejetto HFS to version 3.2.1 immediately; this is the vendor-confirmed patched release addressing CVE-2026-61501 along with additional co-disclosed security issues, available at https://github.com/rejetto/hfs/releases/tag/v3.2.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Administrator session forgery in Rejetto HFS (HTTP File Server) versions 3.0.0 through 3.2.0 lets a remote unauthenticat
Path traversal via the `lang` query parameter in Rejetto HFS 3.0.0 through 3.2.0 enables remote unauthenticated attacker
Username enumeration in Rejetto HFS 3.0.0-3.2.0 exposes valid account names-including the default admin account-to remot
Rejetto HTTP File Server (HFS) versions 3.0.0 through 3.2.0 performs state-changing administrative operations via HTTP G
Stored XSS in Rejetto HFS 3.0.0 through 3.2.0 allows attackers with upload access - or any user on servers configured wi
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today