Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the AdminPaymentPluginUpload endpoint lets admins upload any file to plugins/payment/. It only checks a hardcoded password (qweasd123456) and ignores file content. A background watcher (StartWatcher) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.
AnalysisAI
xiaoheiFS, a self-hosted financial and operational system for cloud service businesses, contains a critical authenticated remote code execution vulnerability in versions up to 0.3.15. An attacker who knows the hardcoded password 'qweasd123456' can upload arbitrary executable files through the AdminPaymentPluginUpload endpoint, which are then automatically executed by a background watcher service every 5 seconds. While EPSS data is not provided, the combination of hardcoded credentials (CWE-434, Authentication Bypass tag) and automatic execution significantly elevates real-world risk despite requiring high privileges (PR:H) in the CVSS vector.
Technical ContextAI
The vulnerability affects xiaoheiFS (CPE: cpe:2.3:a:danvei233:xiaoheifs), a specialized cloud service business management platform. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), compounded by hardcoded credentials and dangerous file handling. The AdminPaymentPluginUpload endpoint performs no validation on uploaded file content beyond checking a static password, depositing files directly into the plugins/payment/ directory. A background file system watcher (StartWatcher function) polls this directory at 5-second intervals and automatically executes any newly discovered executable files without authentication or integrity checks, creating an immediate code execution pathway.
RemediationAI
Upgrade xiaoheiFS to version 4.0.0 or later, which fully addresses the vulnerability according to the CVE description and vendor advisory at https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p. Until patching is completed, implement immediate compensating controls: restrict network access to the admin interface using firewall rules or VPN requirements to trusted IP ranges only, disable the AdminPaymentPluginUpload endpoint if not operationally required, monitor the plugins/payment/ directory for unauthorized file modifications, and consider disabling the StartWatcher service temporarily if business operations permit. Change any instances of the hardcoded password 'qweasd123456' if reused elsewhere in the environment, and review access logs for suspicious admin activity targeting the upload endpoint.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12702