CVE-2026-28673

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions xiaoheiFS versions up to and including 0.3.15

Description xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. The standard plugin system allows administrators to upload a ZIP file containing a binary and a manifest.json. The server trusts the binaries field within the manifest.json file and executes the specified file without validating its contents or behavior. This can lead to Remote Code Execution (RCE). The manifest.json file contains the binaries field, which specifies the file to be executed. Version 0.4.0 resolves this issue.

Recommendations Versions prior to 0.4.0 should be updated to version 0.4.0 or later.

Exploit

Fix

RCE

Unrestricted File Upload

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434CWE-78

Related Identifiers

CVE-2026-28673

Affected Products

Xiaoheifs

CVE-2026-28673

Weakness Enumeration

Related Identifiers

Affected Products

References · 5