PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-61505 rejetto CVE debrief

A path traversal vulnerability exists in Rejetto HFS versions 3.0.0 through 3.2.0. This vulnerability allows a remote unauthenticated attacker to read certain JSON files outside the shared folders by manipulating the lang query parameter. The exploitation is limited to files matching a specific naming and format pattern, which restricts the practical impact of the vulnerability.

Vendor
rejetto
Product
hfs
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Administrators and users of Rejetto HFS versions 3.0.0 through 3.2.0 should be aware of this vulnerability and take necessary actions to mitigate the risk. This vulnerability has a CVSS score of 6.9 and a severity rating of MEDIUM.

Technical summary

The vulnerability is caused by inadequate input validation in the lang query parameter, which allows an attacker to traverse the file system and access JSON files outside the intended shared folders. The vulnerability has been assigned a CVSS score of 6.9 and a severity rating of MEDIUM. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Medium priority should be given to patching or mitigating this vulnerability, as it allows for limited file disclosure and has a MEDIUM severity rating.

Recommended defensive actions

  • Apply the patch or update to version 3.2.1 or later
  • Restrict access to the lang query parameter
  • Monitor for suspicious activity
  • Perform inventory checks for affected versions
  • Consider compensating controls such as web application firewalls

Evidence notes

The CVE record was published on 2026-07-13T18:16:30.563Z and last modified on 2026-07-13T19:28:49.830Z. The NVD entry is currently Deferred. Limited details are available about the specific files that can be accessed through this vulnerability, but it is noted that exploitation is constrained to files matching a narrow naming and format pattern.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T18:16:30.563Z and has not been modified since then. The NVD entry is currently Deferred.