Rejetto HFS CVE-2026-61503
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable login endpoint requires no authentication or user interaction; impact is strictly limited confidentiality loss (username enumeration) with no integrity, availability, or scope change.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. A remote unauthenticated attacker can use this to confirm valid account names, including the default admin account, facilitating password-guessing and session-forgery attacks.
AnalysisAI
Username enumeration in Rejetto HFS 3.0.0-3.2.0 exposes valid account names-including the default admin account-to remote unauthenticated attackers through observably different login endpoint responses (CWE-204). The vendor release notes for v3.2.1 indicate this is one of multiple related vulnerabilities that collectively could allow an attacker to gain administrative access, suggesting this flaw may serve as a reconnaissance enabler in a broader attack chain. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required for the enumeration phase: the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the HFS login endpoint needs only to be reachable over the network by the attacker, with no authentication, user interaction, or non-default configuration required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) accurately reflects a remotely exploitable, zero-prerequisite flaw with limited, one-dimensional confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends automated HTTP POST requests to the HFS login endpoint cycling through a wordlist of common usernames and observes differing response codes, body text, or response timing to identify valid accounts including the default admin. With the admin username confirmed, the attacker proceeds to credential-stuffing using leaked password databases or targeted brute-force, and-given the vendor's disclosure of co-remediated vulnerabilities-may chain this with additional unpatched HFS flaws to achieve full administrative access. … |
| Remediation | Upgrade to Rejetto HFS version 3.2.1 immediately; this release is confirmed by the vendor at https://github.com/rejetto/hfs/releases/tag/v3.2.1 and addresses this flaw alongside additional vulnerabilities that collectively enable administrative compromise. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Administrator session forgery in Rejetto HFS (HTTP File Server) versions 3.0.0 through 3.2.0 lets a remote unauthenticat
Path traversal via the `lang` query parameter in Rejetto HFS 3.0.0 through 3.2.0 enables remote unauthenticated attacker
Stored cross-site scripting in Rejetto HTTP File Server 3.0.0-3.2.0 allows an unauthenticated remote attacker to inject
Rejetto HTTP File Server (HFS) versions 3.0.0 through 3.2.0 performs state-changing administrative operations via HTTP G
Stored XSS in Rejetto HFS 3.0.0 through 3.2.0 allows attackers with upload access - or any user on servers configured wi
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today