{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28673", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-02T21:43:19.926Z", "datePublished": "2026-03-18T00:41:35.055Z", "dateUpdated": "2026-03-18T14:34:38.632Z"}, "containers": {"cna": {"title": "xiaoheiFS Vulnerable to RCE via Unrestricted Plugin Installation (Manifest Manipulation)", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v"}], "affected": [{"vendor": "danvei233", "product": "xiaoheiFS", "versions": [{"version": "< 0.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T00:41:35.055Z"}, "descriptions": [{"lang": "en", "value": "xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the `binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue."}], "source": {"advisory": "GHSA-4vw4-5wmh-7x4v", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T14:34:34.131527Z", "id": "CVE-2026-28673", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:34:38.632Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28673", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-18T14:34:34.131527Z"}}}], "references": [{"url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:34:28.838Z"}}], "cna": {"title": "xiaoheiFS Vulnerable to RCE via Unrestricted Plugin Installation (Manifest Manipulation)", "source": {"advisory": "GHSA-4vw4-5wmh-7x4v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "danvei233", "product": "xiaoheiFS", "versions": [{"status": "affected", "version": "< 0.4.0"}]}], "references": [{"url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v", "name": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the `binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T00:41:35.055Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28673", "state": "PUBLISHED", "dateUpdated": "2026-03-18T14:34:38.632Z", "dateReserved": "2026-03-02T21:43:19.926Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T00:41:35.055Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:danvei233:xiaoheifs:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0180A96-D887-4385-AC4F-58ECEAAC15D3", "versionEndExcluding": "0.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the `binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue."}, {"lang": "es", "value": "xiaoheiFS es un sistema financiero y operativo autoalojado para negocios de servicios en la nube. En versiones hasta la 0.3.15 inclusive, el sistema de plugin est\u00e1ndar permite a los administradores subir un archivo ZIP que contiene un binario y un `manifest.json`. El servidor conf\u00eda en el campo `binaries` en el manifiesto y ejecuta el archivo especificado sin ninguna validaci\u00f3n de su contenido o comportamiento, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo (RCE). La versi\u00f3n 0.4.0 soluciona el problema."}], "id": "CVE-2026-28673", "lastModified": "2026-03-23T17:58:19.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T01:16:05.117", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "xiaoheiFS", "source": "cna", "vendor": "danvei233"}, "product": "xiaoheifs", "vendor": "danvei233"}], "analysis": {"en": {"generated_at": "2026-03-23T19:36:15.744863+00:00", "value": {"mitigation_remediation": ["Upgrade xiaoheiFS to version 0.4.0 or later, which removes the insecure plugin handling logic.", "If an upgrade is not immediately possible, restrict the plugin upload feature to trusted administrators and consider disabling it until a patch can be applied.", "Monitor the system for anomalous plugin upload activity or unexpected process execution to detect potential exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is danvei233\u2019s xiaoheiFS, a self\u2011hosted financial and operational system used by cloud service providers. Versions up to and including 0.3.15 are vulnerable; the issue is resolved in version 0.4.0 and later.\n\nAdministrators who can upload plugins to the xiaoheiFS instance are at risk.\n\nUsers of any earlier releases should immediately plan an upgrade.", "description_and_impact": "The vulnerability allows an administrator to upload a ZIP file containing a binary and a manifest.json. The server trusts the binaries field in the manifest and executes the specified file without validating its contents or behavior, enabling an attacker to run arbitrary code on the host.\n\nThis flaw effectively grants remote code execution on the underlying system, allowing a malicious actor to execute commands, tamper with data, and potentially compromise the entire self\u2011hosted financial platform.\n\nThe weakness is a classic example of unrestricted file upload and command injection, reflected in CWE\u2011434 and CWE\u201178, and poses a severe threat to confidentiality, integrity and availability of the affected system.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity impact. The EPSS score of less than 1% suggests the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog.\n\nHowever, exploitation requires administrative access to upload a malicious plugin, meaning attackers must first compromise or have legitimate access to the system. Once authenticated, they can deploy arbitrary binaries and achieve full control of the host.\n\nGiven the high severity, moderate exploitation probability, and privileged attacker requirement, organizations running affected versions should treat this as a significant risk and act promptly."}}}}, "created": "2026-03-18T10:42:22.893795+00:00", "updated": "2026-03-24T10:53:52.877436+00:00", "vendors": ["danvei233", "danvei233$PRODUCT$xiaoheifs"]}