CVE-2026-61504

MEDIUM

Rejetto HFS < 3.2.1 Stored XSS via File Names in Basic Web Listing

Title source: cna
STIX 2.1

Description

Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing, and this listing can be forced by any browser via the ?get=basic parameter. A user with upload permission - or an anonymous user on servers with an open upload folder - can store a file whose name contains script that executes in the browser of anyone viewing the listing.

References (2)

Core 2
Core References
Patch release-notes patch
Release Notes
https://github.com/rejetto/hfs/releases/tag/v3.2.1

Scores

CVSS v3 5.4
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
rejetto/hfs 3.0.0 - 3.2.1
Published Jul 13, 2026
Tracked Since Jul 13, 2026