CVE-2026-28674

Name of the Vulnerable Software and Affected Versions xiaoheiFS versions prior to 4.0.0

Description xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. Versions up to and including 0.3.15 allow administrators to upload any file to the plugins/payment/ directory via the AdminPaymentPluginUpload endpoint. The system only verifies a hardcoded password (qweasd123456) and does not inspect the file content. A background process, StartWatcher, scans this directory every 5 seconds and immediately executes any new executable files found, leading to Remote Code Execution (RCE).

Recommendations Versions prior to 4.0.0 should be updated to version 4.0.0 or later.