← Back

CVE-2026-28674

nvd nist
Published: Mar 18, 2026Modified: Mar 23, 2026

JSON object

Loading...
7.2
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.2 / Impact: 5.9
Source: security-advisories@github.com (Secondary)

Description

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.

Affected (1)

Products: Danvei233: Xiaoheifs
Danvei233
1 product
Xiaoheifs
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Xiaoheifs
Before 0.4.0

Related CWEs

CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-798
Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.

References (2)

Source: security-advisories@github.com
ExploitVendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitVendor Advisory

Timeline

No history available yet.