Skip to main content

Hfs

6 CVEs product

Monthly

CVE-2026-61505 MEDIUM PATCH This Month

Path traversal via the `lang` query parameter in Rejetto HFS 3.0.0 through 3.2.0 enables remote unauthenticated attackers to read JSON files outside the application's designated shared folders. Exploitation is constrained by the application's own file-loading logic - only files matching a narrow naming convention and JSON format are reachable, limiting impact to partial information disclosure rather than arbitrary file read. Vendor-released patch v3.2.1 is available; no KEV listing or confirmed public exploit exists, though the same release addresses additional higher-severity vulnerabilities noted in the release notes.

Path Traversal Hfs
NVD GitHub
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-61504 MEDIUM PATCH This Month

Stored XSS in Rejetto HFS 3.0.0 through 3.2.0 allows attackers with upload access - or any user on servers configured with publicly writable folders - to inject persistent browser scripts via maliciously named files in the 'basic' web listing mode. Because the basic listing can be forced by any visitor using the ?get=basic URL parameter, the vulnerable rendering path is reachable regardless of whether the default interface is exposed. The vendor's own v3.2.1 release notes state that vulnerabilities addressed in this release collectively enable administrative account compromise; no public exploit or CISA KEV listing has been identified, but a vendor-released patch is available.

XSS Hfs
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-61503 MEDIUM PATCH This Month

Username enumeration in Rejetto HFS 3.0.0-3.2.0 exposes valid account names-including the default admin account-to remote unauthenticated attackers through observably different login endpoint responses (CWE-204). The vendor release notes for v3.2.1 indicate this is one of multiple related vulnerabilities that collectively could allow an attacker to gain administrative access, suggesting this flaw may serve as a reconnaissance enabler in a broader attack chain. No public exploit is identified at time of analysis; vendor-released patch v3.2.1 is available.

Information Disclosure Hfs
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-61502 MEDIUM PATCH This Month

Rejetto HTTP File Server (HFS) versions 3.0.0 through 3.2.0 performs state-changing administrative operations via HTTP GET requests while exempting GET from its anti-CSRF header validation, enabling two distinct attack paths: a classic CSRF attack requiring a logged-in administrator to visit a crafted URL, and a fully unauthenticated path exploitable from localhost against default installations. Successful exploitation allows account creation, configuration modification, and ultimately remote code execution on the HFS host. Patch version 3.2.1 is available; no public exploit or CISA KEV listing has been identified at time of analysis.

RCE CSRF Hfs
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-61501 MEDIUM PATCH This Month

Stored cross-site scripting in Rejetto HTTP File Server 3.0.0-3.2.0 allows an unauthenticated remote attacker to inject persistent JavaScript into the server error log via a crafted username in a failed login attempt. When an administrator views the log panel, the payload executes in their browser session, granting the attacker the ability to create accounts or execute server-side code with full administrative privileges. No public exploit has been identified at time of analysis, but the attack chain is low-complexity and the vendor has confirmed a fix in v3.2.1.

XSS Hfs
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-61500 CRITICAL PATCH Act Now

Administrator session forgery in Rejetto HFS (HTTP File Server) versions 3.0.0 through 3.2.0 lets a remote unauthenticated attacker derive the server's session-cookie signing key. Because HFS seeds that key from JavaScript's non-cryptographic Math.random() and simultaneously leaks outputs of the same generator to clients during login, an attacker can sample a few login responses, reconstruct the PRNG state, and mint a valid admin cookie - yielding full administrative control and remote code execution through the server_code configuration feature. No public exploit is identified at time of analysis, but the flaw was reported by VulnCheck/Horizon3.ai and a vendor patch (v3.2.1) exists.

RCE Hfs
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.7%
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Path traversal via the `lang` query parameter in Rejetto HFS 3.0.0 through 3.2.0 enables remote unauthenticated attackers to read JSON files outside the application's designated shared folders. Exploitation is constrained by the application's own file-loading logic - only files matching a narrow naming convention and JSON format are reachable, limiting impact to partial information disclosure rather than arbitrary file read. Vendor-released patch v3.2.1 is available; no KEV listing or confirmed public exploit exists, though the same release addresses additional higher-severity vulnerabilities noted in the release notes.

Path Traversal Hfs
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored XSS in Rejetto HFS 3.0.0 through 3.2.0 allows attackers with upload access - or any user on servers configured with publicly writable folders - to inject persistent browser scripts via maliciously named files in the 'basic' web listing mode. Because the basic listing can be forced by any visitor using the ?get=basic URL parameter, the vulnerable rendering path is reachable regardless of whether the default interface is exposed. The vendor's own v3.2.1 release notes state that vulnerabilities addressed in this release collectively enable administrative account compromise; no public exploit or CISA KEV listing has been identified, but a vendor-released patch is available.

XSS Hfs
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Username enumeration in Rejetto HFS 3.0.0-3.2.0 exposes valid account names-including the default admin account-to remote unauthenticated attackers through observably different login endpoint responses (CWE-204). The vendor release notes for v3.2.1 indicate this is one of multiple related vulnerabilities that collectively could allow an attacker to gain administrative access, suggesting this flaw may serve as a reconnaissance enabler in a broader attack chain. No public exploit is identified at time of analysis; vendor-released patch v3.2.1 is available.

Information Disclosure Hfs
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Rejetto HTTP File Server (HFS) versions 3.0.0 through 3.2.0 performs state-changing administrative operations via HTTP GET requests while exempting GET from its anti-CSRF header validation, enabling two distinct attack paths: a classic CSRF attack requiring a logged-in administrator to visit a crafted URL, and a fully unauthenticated path exploitable from localhost against default installations. Successful exploitation allows account creation, configuration modification, and ultimately remote code execution on the HFS host. Patch version 3.2.1 is available; no public exploit or CISA KEV listing has been identified at time of analysis.

RCE CSRF Hfs
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stored cross-site scripting in Rejetto HTTP File Server 3.0.0-3.2.0 allows an unauthenticated remote attacker to inject persistent JavaScript into the server error log via a crafted username in a failed login attempt. When an administrator views the log panel, the payload executes in their browser session, granting the attacker the ability to create accounts or execute server-side code with full administrative privileges. No public exploit has been identified at time of analysis, but the attack chain is low-complexity and the vendor has confirmed a fix in v3.2.1.

XSS Hfs
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Administrator session forgery in Rejetto HFS (HTTP File Server) versions 3.0.0 through 3.2.0 lets a remote unauthenticated attacker derive the server's session-cookie signing key. Because HFS seeds that key from JavaScript's non-cryptographic Math.random() and simultaneously leaks outputs of the same generator to clients during login, an attacker can sample a few login responses, reconstruct the PRNG state, and mint a valid admin cookie - yielding full administrative control and remote code execution through the server_code configuration feature. No public exploit is identified at time of analysis, but the flaw was reported by VulnCheck/Horizon3.ai and a vendor patch (v3.2.1) exists.

RCE Hfs
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy