Skip to main content

Xiaoheifs EUVDEUVD-2026-12702

| CVE-2026-28674 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-18 GitHub_M
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:21 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
0.4.0
EUVD ID Assigned
Mar 18, 2026 - 01:00 euvd
EUVD-2026-12702
Analysis Generated
Mar 18, 2026 - 01:00 vuln.today
CVE Published
Mar 18, 2026 - 00:48 nvd
HIGH 7.2

DescriptionGitHub Advisory

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the AdminPaymentPluginUpload endpoint lets admins upload any file to plugins/payment/. It only checks a hardcoded password (qweasd123456) and ignores file content. A background watcher (StartWatcher) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.

AnalysisAI

xiaoheiFS, a self-hosted financial and operational system for cloud service businesses, contains a critical authenticated remote code execution vulnerability in versions up to 0.3.15. An attacker who knows the hardcoded password 'qweasd123456' can upload arbitrary executable files through the AdminPaymentPluginUpload endpoint, which are then automatically executed by a background watcher service every 5 seconds. While EPSS data is not provided, the combination of hardcoded credentials (CWE-434, Authentication Bypass tag) and automatic execution significantly elevates real-world risk despite requiring high privileges (PR:H) in the CVSS vector.

Technical ContextAI

The vulnerability affects xiaoheiFS (CPE: cpe:2.3:a:danvei233:xiaoheifs), a specialized cloud service business management platform. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), compounded by hardcoded credentials and dangerous file handling. The AdminPaymentPluginUpload endpoint performs no validation on uploaded file content beyond checking a static password, depositing files directly into the plugins/payment/ directory. A background file system watcher (StartWatcher function) polls this directory at 5-second intervals and automatically executes any newly discovered executable files without authentication or integrity checks, creating an immediate code execution pathway.

RemediationAI

Upgrade xiaoheiFS to version 4.0.0 or later, which fully addresses the vulnerability according to the CVE description and vendor advisory at https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p. Until patching is completed, implement immediate compensating controls: restrict network access to the admin interface using firewall rules or VPN requirements to trusted IP ranges only, disable the AdminPaymentPluginUpload endpoint if not operationally required, monitor the plugins/payment/ directory for unauthorized file modifications, and consider disabling the StartWatcher service temporarily if business operations permit. Change any instances of the hardcoded password 'qweasd123456' if reused elsewhere in the environment, and review access logs for suspicious admin activity targeting the upload endpoint.

Share

EUVD-2026-12702 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy