CVE-2026-61504 in HFS
Summary
by MITRE • 07/13/2026
Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing, and this listing can be forced by any browser via the ?get=basic parameter. A user with upload permission - or an anonymous user on servers with an open upload folder - can store a file whose name contains script that executes in the browser of anyone viewing the listing.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/13/2026
This vulnerability exists in Rejetto HFS versions 3.0.0 through 3.2.0 where the web server fails to properly escape file names in its basic web listing functionality. The flaw occurs when the ?get=basic parameter is used to force the display of a fallback listing, which can be triggered by any web browser regardless of authentication status. This represents a classic cross-site scripting vulnerability that falls under CWE-79, specifically involving improper neutralization of input during web page generation. The vulnerability allows for arbitrary code execution in the context of a victim's browser when they view the directory listing.
The technical implementation of this flaw stems from the web server's failure to sanitize user-provided file names before rendering them in HTML output. When an attacker uploads a file with malicious script content in its name, and subsequently triggers the basic listing view through the ?get=basic parameter, the unescaped script tags become executable within the victim's browser environment. This vulnerability is particularly dangerous because it requires minimal privileges to exploit - either upload permissions or access to an open upload folder on the server. The attack vector leverages the browser's rendering of HTML content, making it difficult to detect through traditional network monitoring approaches.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with a persistent means of delivering malicious payloads to unsuspecting users. An attacker can craft file names that contain embedded javascript or other client-side exploits, which execute whenever any user views the directory listing. This creates a vector for phishing attacks, credential theft, or malware distribution that can affect multiple users over time. The vulnerability also aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter: JavaScript, as it enables the execution of malicious javascript code through web-based interfaces.
Mitigation strategies should focus on immediate patching of affected Rejetto HFS versions to 3.2.1 or later where this vulnerability has been addressed. Organizations should implement proper input validation and output encoding for all user-provided content displayed in web interfaces, ensuring that special characters are properly escaped before HTML rendering occurs. Network administrators should also consider restricting access to upload directories and implementing web application firewalls that can detect and block suspicious parameter usage patterns. Additionally, regular security audits of web applications should include testing for similar cross-site scripting vulnerabilities in file name handling and directory listing functionality. The vulnerability demonstrates the importance of secure coding practices around user input processing and highlights the need for comprehensive security testing of web interfaces that handle user-generated content.