CVE-2026-61504
Rejetto HFS < 3.2.1 Stored XSS via File Names in Basic Web Listing
Vexday Risk Score
10Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 5.1EPSS —KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Ciclo de vida
13 jul 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing, and this listing can be forced by any browser via the ?get=basic parameter. A user with upload permission - or an anonymous user on servers with an open upload folder - can store a file whose name contains script that executes in the browser of anyone viewing the listing.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Productos afectados
rejetto · hfs