{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28674", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-02T21:43:19.926Z", "datePublished": "2026-03-18T00:48:39.652Z", "dateUpdated": "2026-03-18T14:34:00.955Z"}, "containers": {"cna": {"title": "xiaoheiFS Vulnerable to RCE via Arbitrary Payment Plugin Upload (Automatic Execution)", "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-798", "lang": "en", "description": "CWE-798: Use of Hard-coded Credentials", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p"}], "affected": [{"vendor": "danvei233", "product": "xiaoheiFS", "versions": [{"version": "< 0.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T00:48:39.652Z"}, "descriptions": [{"lang": "en", "value": "xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue."}], "source": {"advisory": "GHSA-hcj4-gfvq-qv4p", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T14:33:57.945306Z", "id": "CVE-2026-28674", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:34:00.955Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28674", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-18T14:33:57.945306Z"}}}], "references": [{"url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:33:49.730Z"}}], "cna": {"title": "xiaoheiFS Vulnerable to RCE via Arbitrary Payment Plugin Upload (Automatic Execution)", "source": {"advisory": "GHSA-hcj4-gfvq-qv4p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "danvei233", "product": "xiaoheiFS", "versions": [{"status": "affected", "version": "< 0.4.0"}]}], "references": [{"url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p", "name": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798: Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T00:48:39.652Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28674", "state": "PUBLISHED", "dateUpdated": "2026-03-18T14:34:00.955Z", "dateReserved": "2026-03-02T21:43:19.926Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T00:48:39.652Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:danvei233:xiaoheifs:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0180A96-D887-4385-AC4F-58ECEAAC15D3", "versionEndExcluding": "0.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue."}, {"lang": "es", "value": "xiaoheiFS es un sistema financiero y operativo autohospedado para negocios de servicios en la nube. En versiones hasta la 0.3.15 inclusive, el endpoint 'AdminPaymentPluginUpload' permite a los administradores subir cualquier archivo a 'plugins/payment/'. Solo verifica una contrase\u00f1a codificada ('qweasd123456') e ignora el contenido del archivo. Un observador en segundo plano ('StartWatcher') escanea esta carpeta cada 5 segundos. Si encuentra un nuevo ejecutable, lo ejecuta inmediatamente, lo que resulta en RCE. La versi\u00f3n 4.0.0 corrige el problema."}], "id": "CVE-2026-28674", "lastModified": "2026-03-23T17:57:34.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T01:16:05.280", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-798"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "xiaoheiFS", "source": "cna", "vendor": "danvei233"}, "product": "xiaoheifs", "vendor": "danvei233"}], "analysis": {"en": {"generated_at": "2026-03-23T20:42:31.613463+00:00", "value": {"mitigation_remediation": ["Upgrade xiaoheiFS to version 4.0.0 or later.", "Disable the AdminPaymentPluginUpload endpoint or remove the hard\u2011coded password check if an upgrade cannot be performed immediately.", "Restrict the plugins/payment directory to reject executable uploads and set file permissions to prevent execution."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is xiaoheiFS, a self\u2011hosted financial and operational system used by cloud service businesses, developed by danvei233. All releases up to and including version 0.3.15 are vulnerable. The information in the advisory states that version 4.0.0 contains the fix.", "description_and_impact": "The vulnerability permits an administrator to upload any file through the AdminPaymentPluginUpload endpoint, without validating file type or content beyond checking a hard\u2011coded password (qweasd123456). When an executable file is placed in the plugins/payment directory, a background watcher automatically detects and runs it, giving attackers the ability to execute arbitrary code on the server. The flaw is an unrestricted file upload coupled with hard\u2011coded credentials, reflected by CWE-434 and CWE-798.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a moderate to high severity, while the EPSS score of less than 1% suggests that exploitation is unlikely in the near term. The vulnerability is not listed in the CISA KEV catalog. An attacker who has obtained the hard\u2011coded password can simply upload a malicious executable; the system will immediately execute it with system privileges, without the need for additional network or privilege escalation steps. The attack path is therefore straightforward, making the risk significant for any compromised or exposed account."}}}}, "created": "2026-03-18T10:42:21.909467+00:00", "updated": "2026-03-24T10:53:51.981673+00:00", "vendors": ["danvei233", "danvei233$PRODUCT$xiaoheifs"]}