Stored Cross-Site Scripting Flaw in Rejetto HFS Web File Server
CVE-2026-61504
5.1MEDIUM
What is CVE-2026-61504?
Rejetto HFS versions 3.0.0 through 3.2.0 are susceptible to a stored cross-site scripting (XSS) vulnerability. This issue arises due to inadequate escaping of file names in the fallback 'basic' web listing feature. Attackers can exploit this by utilizing the ?get=basic parameter in their browser. If a user with upload permissions, or an anonymous user on servers with unprotected upload folders, uploads a file that contains malicious scripts, those scripts can execute in the browser of anyone accessing the basic listing. As a result, this vulnerability poses a significant risk to users and their data.
Affected Version(s)
hfs 3.0.0
References
CVSS V4
Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Zach Hanley (@hacks_zach) of Horizon3.ai, in collaboration with Claude and Anthropic Research
