CVE-2026-28674
Last modified
CVE-2026-28674 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. EPSS estimates a 0.34% chance of exploitation in the next 30 days.
Description
xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Danvei233 | Xiaoheifs | < 0.4.0 |
References
- https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4pExploit, Vendor Advisory
- https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4pExploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-28674?
How severe is CVE-2026-28674?
How do I fix CVE-2026-28674?
Are you affected by CVE-2026-28674?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST