Skip to main content

Rejetto HFS CVE-2026-61502

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-13 VulnCheck
5.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.3 CRITICAL

Network-delivered CSRF with no attacker privileges; scope changes because admin compromise yields RCE, giving high C and I beyond the original session.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 13, 2026 - 19:43 vuln.today
Analysis Generated
Jul 13, 2026 - 19:43 vuln.today

DescriptionCVE.org

Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check. A remote attacker can perform administrative actions including account creation and configuration changes leading to code execution - by causing a logged-in administrator's browser to navigate to a crafted URL, or without any credentials against default installations when the attack originates from the server's own machine.

AnalysisAI

Rejetto HTTP File Server (HFS) versions 3.0.0 through 3.2.0 performs state-changing administrative operations via HTTP GET requests while exempting GET from its anti-CSRF header validation, enabling two distinct attack paths: a classic CSRF attack requiring a logged-in administrator to visit a crafted URL, and a fully unauthenticated path exploitable from localhost against default installations. Successful exploitation allows account creation, configuration modification, and ultimately remote code execution on the HFS host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify HFS admin target or SSRF entry point
Delivery
Craft malicious GET URL targeting HFS admin API
Exploit
Deliver URL to logged-in admin via phishing or trigger via SSRF
Install
Admin browser or SSRF issues unauthenticated GET request
C2
HFS processes state-change, creates backdoor admin account
Execute
Attacker authenticates and modifies HFS configuration
Impact
Achieve remote code execution on host

Vulnerability AssessmentAI

Exploitation Two distinct exploitation paths exist with different prerequisites. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 base score of 5.1 (AV:N/AC:L/AT:N/PR:N/UI:A) reflects only the user-interaction-dependent CSRF vector and scores the integrity impact conservatively at VI:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an organization running HFS 3.x and sends a phishing email to an administrator containing an innocuous-looking link or embeds a hidden image tag pointing to a crafted URL such as http://hfs-host/api/create-account?user=attacker&pass=pwned; when the logged-in admin's browser fetches the URL (even passively), HFS processes the GET request as a legitimate administrative action, creates a backdoor account, and the attacker subsequently authenticates and leverages HFS configuration access to achieve code execution. Alternatively, if the attacker has exploited an SSRF vulnerability in any application running on the same server, they can directly call the HFS API on localhost without credentials, bypassing authentication entirely.
Remediation Upgrade to Rejetto HFS 3.2.1 immediately, available at https://github.com/rejetto/hfs/releases/tag/v3.2.1; the vendor release notes confirm this version addresses multiple security vulnerabilities including this CSRF flaw. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61502 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy