EUVD-2026-12700
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the `binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue.
Analysis
xiaoheiFS versions up to and including 0.3.15 contain a critical remote code execution vulnerability in the plugin upload mechanism. Administrators can upload plugin ZIP files containing arbitrary binaries which the server executes without validation based on the manifest.json 'binaries' field. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit admin account access logs for suspicious plugin uploads and restrict plugin upload capability to essential personnel only. Within 7 days: Inventory all xiaoheiFS deployments and their versions; prepare upgrade plan to version 0.4.0 or later. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today