2026-07-13 · view entry permalink →
CVE-2026-61500 — Rejetto HFS < 3.2.1: predictable session-signing PRNG lets an unauthenticated attacker forge admin sessions to RCE (CVSS 9.3)
VulnCheck disclosed a six-CVE chain in Rejetto HFS (HTTP File Server) 3.0.0 through 3.2.0, all fixed in 3.2.1 on 2026-07-13 (VulnCheck, 2026-07-13). The headline flaw, CVE-2026-61500 (CVSS 4.0 9.3, CWE-338 weak PRNG), derives the session-cookie signing key from JavaScript's non-cryptographic Math.random() and leaks outputs of that same generator to unauthenticated clients on the login endpoint; an attacker who collects a small number of login responses can reconstruct the generator's internal state, recover the signing key and forge a valid administrator session cookie — reaching full admin access and code execution through HFS's built-in server_code configuration feature (arbitrary server-side script), with no authentication or user interaction (VulnCheck, 2026-07-13). Five companion bugs, all verified on NVD and fixed in the same 3.2.1 release, lower the bar further: unauthenticated username enumeration including the default admin account (CVE-2026-61503), state-changing admin actions accepted over GET with no anti-CSRF check (CVE-2026-61502), stored XSS rendered when an admin views the log via a crafted failed-login username (CVE-2026-61501) and via unescaped filenames in the fallback "basic" listing reachable by anonymous uploaders (CVE-2026-61504), and a lang-parameter path traversal limited to reading specific JSON files outside shared folders (CVE-2026-61505). No in-the-wild exploitation of this 3.x chain has been reported yet; the risk is the standard one for a pre-auth, unauthenticated-RCE flaw in internet-facing file-sharing software whose patch is already public — once the forge-the-cookie technique is understood, an exposed instance is a low-effort opportunistic target.
Rejetto HFS 3.0.0 through 3.2.0 derives its session-cookie signing key from the non-cryptographic Math.random() generator and discloses outputs of the same generator to unauthenticated clients during login.
A remote attacker can collect a small number of login responses, reconstruct the generator's state, recover the signing key, and forge a valid administrator session cookie, leading to full administrative access and remote code execution via the server_code configuration feature.