Cross-Site Request Forgery Vulnerability in Rejetto HFS Web Server
CVE-2026-61502

5.1MEDIUM

Key Information:

Vendor

Rejetto

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-61502?

The Rejetto HFS web server versions 3.0.0 to 3.2.0 are susceptible to a Cross-Site Request Forgery (CSRF) vulnerability due to improper handling of GET requests. This oversight allows attackers to perform unauthorized administrative actions, such as account creation and configuration modifications. By enticing a logged-in administrator to click a malicious link, an attacker can execute these actions, potentially leading to code execution. Furthermore, if the attack is initiated from the server itself, unauthorized access can occur without any administrative credentials.

Affected Version(s)

hfs 3.0.0

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Zach Hanley (@hacks_zach) of Horizon3.ai, in collaboration with Claude and Anthropic Research
.