Path Traversal Vulnerability in Rejetto HFS Product
CVE-2026-61505
6.9MEDIUM
What is CVE-2026-61505?
A vulnerability in Rejetto HFS versions 3.0.0 to 3.2.0 allows remote unauthenticated attackers to exploit path traversal via the lang query parameter. This security flaw enables the exposure of certain JSON files that reside outside of designated shared folders. However, the exploitation is limited to files with specific naming conventions and formats, which reduces the overall risk.
Affected Version(s)
hfs 3.0.0
References
CVSS V4
Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Zach Hanley (@hacks_zach) of Horizon3.ai, in collaboration with Claude and Anthropic Research
