PatchSiren cyber security CVE debrief
CVE-2026-61501 rejetto CVE debrief
CVE-2026-61501 is a stored cross-site scripting (XSS) vulnerability in Rejetto HFS 3.0.0 through 3.2.0. The vulnerability allows a remote unauthenticated attacker to submit a failed login with a crafted username that is written to the error log. When an administrator views the logs, the crafted username executes JavaScript in the administrator's browser. This enables the attacker to create accounts or execute code on the server with the administrator's privileges.
- Vendor
- rejetto
- Product
- hfs
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Administrators and users of Rejetto HFS 3.0.0 through 3.2.0 should be aware of this vulnerability and take immediate action to mitigate the risk. This vulnerability is particularly concerning because it can be exploited by unauthenticated attackers, and the impact can be significant if an administrator's account is compromised.
Technical summary
The vulnerability exists because Rejetto HFS 3.0.0 through 3.2.0 renders log entries in the administration panel as HTML without proper sanitization. An attacker can exploit this by submitting a specially crafted username during a failed login attempt. The crafted username is stored in the error log and, when viewed by an administrator, executes malicious JavaScript code in the administrator's browser. This allows the attacker to perform actions such as creating new accounts or executing arbitrary code on the server with the privileges of the administrator.
Defensive priority
High
Recommended defensive actions
- Update Rejetto HFS to version 3.2.1 or later
- Implement input validation and output encoding for usernames in login attempts
- Monitor logs for suspicious login attempts
- Restrict access to the administration panel
- Regularly review logs for potential security incidents
Evidence notes
The CVE record was published on 2026-07-13T18:16:30.043Z and was last modified on 2026-07-13T19:28:49.830Z. The NVD entry is currently Deferred. Limited details are available about the specific exploits or attacks related to this vulnerability.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T18:16:30.043Z and has not been modified since then. The NVD entry is currently Deferred.