PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-61501 rejetto CVE debrief

CVE-2026-61501 is a stored cross-site scripting (XSS) vulnerability in Rejetto HFS 3.0.0 through 3.2.0. The vulnerability allows a remote unauthenticated attacker to submit a failed login with a crafted username that is written to the error log. When an administrator views the logs, the crafted username executes JavaScript in the administrator's browser. This enables the attacker to create accounts or execute code on the server with the administrator's privileges.

Vendor
rejetto
Product
hfs
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Administrators and users of Rejetto HFS 3.0.0 through 3.2.0 should be aware of this vulnerability and take immediate action to mitigate the risk. This vulnerability is particularly concerning because it can be exploited by unauthenticated attackers, and the impact can be significant if an administrator's account is compromised.

Technical summary

The vulnerability exists because Rejetto HFS 3.0.0 through 3.2.0 renders log entries in the administration panel as HTML without proper sanitization. An attacker can exploit this by submitting a specially crafted username during a failed login attempt. The crafted username is stored in the error log and, when viewed by an administrator, executes malicious JavaScript code in the administrator's browser. This allows the attacker to perform actions such as creating new accounts or executing arbitrary code on the server with the privileges of the administrator.

Defensive priority

High

Recommended defensive actions

  • Update Rejetto HFS to version 3.2.1 or later
  • Implement input validation and output encoding for usernames in login attempts
  • Monitor logs for suspicious login attempts
  • Restrict access to the administration panel
  • Regularly review logs for potential security incidents

Evidence notes

The CVE record was published on 2026-07-13T18:16:30.043Z and was last modified on 2026-07-13T19:28:49.830Z. The NVD entry is currently Deferred. Limited details are available about the specific exploits or attacks related to this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T18:16:30.043Z and has not been modified since then. The NVD entry is currently Deferred.