Skip to main content

Rejetto HFS CVE-2026-61505

MEDIUM
Path Traversal (CWE-22)
2026-07-13 VulnCheck
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-reachable with no auth or interaction (AV:N/PR:N/UI:N); confidentiality limited to narrow JSON subset, scope unchanged, no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 13, 2026 - 19:41 vuln.today
Analysis Generated
Jul 13, 2026 - 19:41 vuln.today

DescriptionCVE.org

Rejetto HFS 3.0.0 through 3.2.0 allows path traversal through the lang query parameter, permitting a remote unauthenticated attacker to read certain JSON files outside the shared folders. Exploitation is constrained to files matching a narrow naming and format pattern, limiting practical impact.

AnalysisAI

Path traversal via the lang query parameter in Rejetto HFS 3.0.0 through 3.2.0 enables remote unauthenticated attackers to read JSON files outside the application's designated shared folders. Exploitation is constrained by the application's own file-loading logic - only files matching a narrow naming convention and JSON format are reachable, limiting impact to partial information disclosure rather than arbitrary file read. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed HFS 3.0.0-3.2.0 instance
Delivery
Craft HTTP request with traversal sequences in lang parameter
Exploit
Server resolves path outside shared folder
Execution
Matching JSON file returned in response
Impact
Attacker reads disclosed data

Vulnerability AssessmentAI

Exploitation The target must be running Rejetto HFS version 3.0.0 through 3.2.0 and must be reachable over the network by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N) reflects a low-complexity, unauthenticated network attack yielding only low confidentiality impact on the vulnerable system - consistent with the description's explicit constraint that only narrowly-patterned JSON files are reachable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker sends an HTTP GET request to an exposed HFS 3.x instance with a crafted `lang` parameter containing directory traversal sequences such as `../../config` or similar, targeting predictably named JSON files outside the shared folder. The server resolves the traversed path, matches a file fitting the naming/format constraints of the lang loader, and returns its contents in the HTTP response. …
Remediation Upgrade to Rejetto HFS version 3.2.1 immediately, available at https://github.com/rejetto/hfs/releases/tag/v3.2.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy