CVE-2026-61502
MEDIUMRejetto HFS < 3.2.1 Cross-Site Request Forgery via GET Requests
Title source: cnaDescription
Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check. A remote attacker can perform administrative actions including account creation and configuration changes leading to code execution - by causing a logged-in administrator's browser to navigate to a crafted URL, or without any credentials against default installations when the attack originates from the server's own machine.
References (2)
Core 2
Core References
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/rejetto-hfs-cross-site-request-forgery-via-get-requests
Scores
CVSS v3
4.3
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Details
CWE
CWE-352
Status
published
Products (1)
rejetto/hfs
3.0.0 - 3.2.1
Published
Jul 13, 2026
Tracked Since
Jul 13, 2026