CVE-2026-28673
CVE-2026-28673
7.2
HighPublished:
Last updated:
Source:security-advisories@github.com
Analyzed
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- High
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the `binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue.
References
security-advisories@github.com
https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v