PatchSiren cyber security CVE debrief
CVE-2026-61504 rejetto CVE debrief
Rejetto HFS 3.0.0 through 3.2.0 is vulnerable to stored cross-site scripting (XSS) via file names in its 'basic' web listing. An authenticated user with upload permissions, or an anonymous user if the upload folder is open, can store files with malicious script names. When another user views the listing, the script executes in their browser. This vulnerability requires user interaction but can lead to significant impact, including potential code execution in the context of the viewing user's browser.
- Vendor
- rejetto
- Product
- hfs
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of Rejetto HFS, especially those with upload permissions or open upload folders, should be aware of this vulnerability and take steps to mitigate it. System administrators and security teams responsible for web applications and user-uploaded content should prioritize patching or mitigating this vulnerability to prevent potential XSS attacks.
Technical summary
The vulnerability exists in the 'basic' web listing feature of Rejetto HFS. When a user with upload permissions or an anonymous user on servers with an open upload folder uploads a file with a malicious name, it can lead to XSS when viewed by another user. The CVSS score for this vulnerability is 5.1, indicating a medium severity level. The vulnerability is limited to the web interface and does not affect other components of Rejetto HFS.
Defensive priority
Medium priority should be given to patching or mitigating this vulnerability, as it requires user interaction but can lead to significant impact.
Recommended defensive actions
- Apply the patch from version 3.2.1 or later.
- Restrict upload permissions to trusted users.
- Monitor for suspicious file uploads and listings.
- Consider using a web application firewall (WAF) to detect and prevent XSS attacks.
- Regularly review and update server configurations to ensure security.
- Perform a thorough review of existing file uploads for potential malicious content.
- Implement additional logging and monitoring to detect potential exploitation attempts.
Evidence notes
The CVE record was published on 2026-07-13T18:16:30.437Z and last modified on 2026-07-13T19:28:49.830Z. The NVD entry is currently Deferred. Evidence is limited to public sources and may not reflect the full scope or impact of this vulnerability. Defenders should verify affected systems and review vendor guidance for specific details.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T18:16:30.437Z and has not been modified since then. The NVD entry is currently Deferred.