Skip to main content

Xiaoheifs

2 CVEs product

Monthly

CVE-2026-28674 HIGH PATCH This Week

xiaoheiFS, a self-hosted financial and operational system for cloud service businesses, contains a critical authenticated remote code execution vulnerability in versions up to 0.3.15. An attacker who knows the hardcoded password 'qweasd123456' can upload arbitrary executable files through the AdminPaymentPluginUpload endpoint, which are then automatically executed by a background watcher service every 5 seconds. While EPSS data is not provided, the combination of hardcoded credentials (CWE-434, Authentication Bypass tag) and automatic execution significantly elevates real-world risk despite requiring high privileges (PR:H) in the CVSS vector.

File Upload Xiaoheifs
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-28673 HIGH PATCH This Week

xiaoheiFS versions up to and including 0.3.15 contain a critical remote code execution vulnerability in the plugin upload mechanism. Administrators can upload plugin ZIP files containing arbitrary binaries which the server executes without validation based on the manifest.json 'binaries' field. This allows authenticated administrators with high privileges to achieve full system compromise by uploading malicious plugin packages.

RCE Command Injection Xiaoheifs
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.2%
EPSS 0% CVSS 7.2
HIGH PATCH This Week

xiaoheiFS, a self-hosted financial and operational system for cloud service businesses, contains a critical authenticated remote code execution vulnerability in versions up to 0.3.15. An attacker who knows the hardcoded password 'qweasd123456' can upload arbitrary executable files through the AdminPaymentPluginUpload endpoint, which are then automatically executed by a background watcher service every 5 seconds. While EPSS data is not provided, the combination of hardcoded credentials (CWE-434, Authentication Bypass tag) and automatic execution significantly elevates real-world risk despite requiring high privileges (PR:H) in the CVSS vector.

File Upload Xiaoheifs
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

xiaoheiFS versions up to and including 0.3.15 contain a critical remote code execution vulnerability in the plugin upload mechanism. Administrators can upload plugin ZIP files containing arbitrary binaries which the server executes without validation based on the manifest.json 'binaries' field. This allows authenticated administrators with high privileges to achieve full system compromise by uploading malicious plugin packages.

RCE Command Injection Xiaoheifs
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy