PT-2026-57843 · Rejetto · Hfs

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-61502

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Rejetto HFS versions 3.0.0 through 3.2.0
Description Rejetto HFS accepts state-changing API requests via the GET method and exempts these requests from its anti-CSRF (Cross-Site Request Forgery) header check. Cross-Site Request Forgery is a technique where an attacker tricks a victim into performing actions they did not intend to do on a different website. A remote attacker can perform administrative actions, such as account creation and configuration changes, which can lead to code execution. This is achieved by inducing a logged-in administrator's browser to navigate to a crafted URL or by targeting default installations when the attack originates from the server's own machine.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-61502

Affected Products

Hfs