Path Traversal Vulnerability in Rejetto HFS Product
CVE-2026-61505

6.9MEDIUM

Key Information:

Vendor

Rejetto

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-61505?

A vulnerability in Rejetto HFS versions 3.0.0 to 3.2.0 allows remote unauthenticated attackers to exploit path traversal via the lang query parameter. This security flaw enables the exposure of certain JSON files that reside outside of designated shared folders. However, the exploitation is limited to files with specific naming conventions and formats, which reduces the overall risk.

Affected Version(s)

hfs 3.0.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Zach Hanley (@hacks_zach) of Horizon3.ai, in collaboration with Claude and Anthropic Research
.