CVE-2026-61501

Source
https://cve.org/CVERecord?id=CVE-2026-61501
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-61501.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-61501
Published
2026-07-13T17:22:39.316Z
Modified
2026-07-14T04:02:29.458117551Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Rejetto HFS < 3.2.1 Stored XSS in Admin Log Viewer
Details

Rejetto HFS 3.0.0 through 3.2.0 renders log entries in the administration panel as HTML without sanitization. A remote unauthenticated attacker can submit a failed login with a crafted username that is written to the error log and executes JavaScript in an administrator's browser when the logs are viewed, allowing the attacker to create accounts or execute code on the server with the administrator's privileges.

Database specific
{
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-79"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "3.0.0"
                },
                {
                    "fixed": "3.2.1"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/61xxx/CVE-2026-61501.json"
}
References

Affected packages

Git / github.com/rejetto/hfs

Affected ranges

Type
GIT
Repo
https://github.com/rejetto/hfs
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.2.0"
        }
    ],
    "source": "DESCRIPTION"
}

Affected versions

v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.1.0
v3.1.0-alpha1
v3.1.0-alpha3
v3.1.0-beta4
v3.1.0-beta5
v3.1.0-beta6
v3.1.0-rc10
v3.1.0-rc11
v3.1.0-rc12
v3.1.0-rc7
v3.1.0-rc8
v3.1.0-rc9
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-61501.json"