PatchSiren cyber security CVE debrief
CVE-2026-61505 rejetto CVE debrief
A path traversal vulnerability exists in Rejetto HFS versions 3.0.0 through 3.2.0. This vulnerability allows a remote unauthenticated attacker to read certain JSON files outside the shared folders by manipulating the lang query parameter. The exploitation is limited to files matching a specific naming and format pattern, which restricts the practical impact of the vulnerability.
- Vendor
- rejetto
- Product
- hfs
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Administrators and users of Rejetto HFS versions 3.0.0 through 3.2.0 should be aware of this vulnerability and take necessary actions to mitigate the risk. This vulnerability has a CVSS score of 6.9 and a severity rating of MEDIUM.
Technical summary
The vulnerability is caused by inadequate input validation in the lang query parameter, which allows an attacker to traverse the file system and access JSON files outside the intended shared folders. The vulnerability has been assigned a CVSS score of 6.9 and a severity rating of MEDIUM. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
Medium priority should be given to patching or mitigating this vulnerability, as it allows for limited file disclosure and has a MEDIUM severity rating.
Recommended defensive actions
- Apply the patch or update to version 3.2.1 or later
- Restrict access to the lang query parameter
- Monitor for suspicious activity
- Perform inventory checks for affected versions
- Consider compensating controls such as web application firewalls
Evidence notes
The CVE record was published on 2026-07-13T18:16:30.563Z and last modified on 2026-07-13T19:28:49.830Z. The NVD entry is currently Deferred. Limited details are available about the specific files that can be accessed through this vulnerability, but it is noted that exploitation is constrained to files matching a narrow naming and format pattern.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T18:16:30.563Z and has not been modified since then. The NVD entry is currently Deferred.