CVE-2014-7226

Rejetto HTTP File Server <2.3c - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-7226. PoCs published by Daniele Linguaglossa.

AI-analyzed exploit summary This exploit leverages a UTF-8 parsing vulnerability in HTTP File Server (HFS) 2.3a-2.3c to execute arbitrary commands via malformed byte sequences in file comments. The PoC sends a crafted POST request to trigger command execution.

Description

The file comment feature in Rejetto HTTP File Server (hfs) 2.3c and earlier allows remote attackers to execute arbitrary code by uploading a file with certain invalid UTF-8 byte sequences that are interpreted as executable macro symbols.

Exploits (1)

exploitdb WORKING POC
by Daniele Linguaglossa · textwebappswindows
https://www.exploit-db.com/exploits/34852

This exploit leverages a UTF-8 parsing vulnerability in HTTP File Server (HFS) 2.3a-2.3c to execute arbitrary commands via malformed byte sequences in file comments. The PoC sends a crafted POST request to trigger command execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: HTTP File Server (HFS) 2.3a - 2.3c
No auth needed
Prerequisites: HFS with upload permissions enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/34852
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/70216

Scores

EPSS 0.0919
EPSS Percentile 94.7%

Details

CWE
CWE-94
Status published
Products (1)
rejetto/http_file_server < 2.3c
Published Oct 10, 2014
Tracked Since Feb 18, 2026