ctipilot.ch

Rejetto HFS 3.0.0–3.2.0 stored XSS via unescaped filenames in fallback 'basic' listing; fixed 3.2.1

cve · CVE-2026-61504

Coverage timeline
1
first 2026-07-13 → last 2026-07-13
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
5
see Related entities below
ATT&CK techniques
2
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
Rejetto HFS

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-13/rejetto-hfs-session-forgery-prng-rce-cve-2026-61500 · ATT&CK page ↗

Execution TA0002

T1059Command and Scripting Interpreter×1

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

Evidence: 2026-07-13/rejetto-hfs-session-forgery-prng-rce-cve-2026-61500 · ATT&CK page ↗

Story timeline

  1. 2026-07-13CVE-2026-61500 — Rejetto HFS < 3.2.1: predictable session-signing PRNG lets an unauthenticated attacker forge admin sessions to RCE (CVSS 9.3)
    trending-vulnerabilitiesRejetto HFS patches a six-CVE chain whose pre-auth session forgery reaches code execution on any exposed instance

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • github.com1 (50%)
  • vulncheck.com1 (50%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about Rejetto HFS 3.0.0–3.2.0 stored XSS via unescaped filenames in fallback 'basic' listing; fixed 3.2.1 (1)

2026-07-13 · view entry permalink →

NOTABLECVE-2026-61500 +5NATOB2

CVE-2026-61500 — Rejetto HFS < 3.2.1: predictable session-signing PRNG lets an unauthenticated attacker forge admin sessions to RCE (CVSS 9.3)

VulnCheck disclosed a six-CVE chain in Rejetto HFS (HTTP File Server) 3.0.0 through 3.2.0, all fixed in 3.2.1 on 2026-07-13 (VulnCheck, 2026-07-13). The headline flaw, CVE-2026-61500 (CVSS 4.0 9.3, CWE-338 weak PRNG), derives the session-cookie signing key from JavaScript's non-cryptographic Math.random() and leaks outputs of that same generator to unauthenticated clients on the login endpoint; an attacker who collects a small number of login responses can reconstruct the generator's internal state, recover the signing key and forge a valid administrator session cookie — reaching full admin access and code execution through HFS's built-in server_code configuration feature (arbitrary server-side script), with no authentication or user interaction (VulnCheck, 2026-07-13). Five companion bugs, all verified on NVD and fixed in the same 3.2.1 release, lower the bar further: unauthenticated username enumeration including the default admin account (CVE-2026-61503), state-changing admin actions accepted over GET with no anti-CSRF check (CVE-2026-61502), stored XSS rendered when an admin views the log via a crafted failed-login username (CVE-2026-61501) and via unescaped filenames in the fallback "basic" listing reachable by anonymous uploaders (CVE-2026-61504), and a lang-parameter path traversal limited to reading specific JSON files outside shared folders (CVE-2026-61505). No in-the-wild exploitation of this 3.x chain has been reported yet; the risk is the standard one for a pre-auth, unauthenticated-RCE flaw in internet-facing file-sharing software whose patch is already public — once the forge-the-cookie technique is understood, an exposed instance is a low-effort opportunistic target.

Rejetto HFS 3.0.0 through 3.2.0 derives its session-cookie signing key from the non-cryptographic Math.random() generator and discloses outputs of the same generator to unauthenticated clients during login.

A remote attacker can collect a small number of login responses, reconstruct the generator's state, recover the signing key, and forge a valid administrator session cookie, leading to full administrative access and remote code execution via the server_code configuration feature.

VulnCheck 2026-07-13
vulnerability13 Jul 20:33Zmulti-sourceOpen finding ↗