CVE-2026-28673

Name of the Vulnerable Software and Affected Versions xiaoheiFS versions up to and including 0.3.15

Description xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. The standard plugin system allows administrators to upload a ZIP file containing a binary and a manifest.json. The server trusts the binaries field within the manifest.json file and executes the specified file without validating its contents or behavior. This can lead to Remote Code Execution (RCE). The manifest.json file contains the binaries field, which specifies the file to be executed. Version 0.4.0 resolves this issue.

Recommendations Versions prior to 0.4.0 should be updated to version 0.4.0 or later.