← back
CVE-2026-61504

Rejetto HFS < 3.2.1 Stored XSS via File Names in Basic Web Listing

CVSS 5.1 MEDIUMCWE-79
Vexday Risk Score
10Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.1EPSS KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
13 Jul 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing, and this listing can be forced by any browser via the ?get=basic parameter. A user with upload permission - or an anonymous user on servers with an open upload folder - can store a file whose name contains script that executes in the browser of anyone viewing the listing.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
rejetto · hfs