Stored XSS Vulnerability in Rejetto HFS Administration Panel
CVE-2026-61501

5.3MEDIUM

Key Information:

Vendor

Rejetto

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-61501?

A stored Cross-Site Scripting (XSS) vulnerability exists in Rejetto HFS versions 3.0.0 through 3.2.0, which allows an unauthenticated remote attacker to inject malicious JavaScript into the administration panel's error log. When an administrator views the logs, the injected script executes within their browser context, potentially allowing the attacker to manipulate accounts or execute unauthorized commands on the server with administrative privileges.

Affected Version(s)

hfs 3.0.0

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Zach Hanley (@hacks_zach) of Horizon3.ai, in collaboration with Claude and Anthropic Research
.