CVE-2026-28674
Remote Code Execution via Insecure File Upload in xiaoheiFS
Publication date: 2026-03-18
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| danvei233 | xiaoheifs | to 0.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28674 is a high-severity remote code execution (RCE) vulnerability in the xiaoheiFS project versions up to 0.3.15. It occurs because the AdminPaymentPluginUpload endpoint allows authenticated administrators to upload any file to the plugins/payment/ directory by only verifying a hardcoded password (qweasd123456) without checking the file type or content.
A background watcher function scans this directory every 5 seconds and immediately executes any new executable files it finds. This means an attacker with admin privileges can upload a malicious executable that will be run automatically, leading to remote code execution on the server.
How can this vulnerability impact me? :
This vulnerability allows an attacker with admin privileges to execute arbitrary code remotely on the affected server. This can lead to full compromise of the system, including unauthorized access to sensitive data, modification or deletion of data, and disruption of service availability.
Because the attacker can run any executable, they could install backdoors, steal confidential information, or disrupt operations, severely impacting confidentiality, integrity, and availability of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the presence of unauthorized or suspicious executable files in the `plugins/payment/` directory of the xiaoheiFS installation, especially if the system is running a version up to 0.3.15.
Since the vulnerability involves a background watcher that executes any new executable files in that directory every 5 seconds, detection can include checking for unexpected files and monitoring process executions triggered from this directory.
- List files in the plugins/payment directory to identify suspicious executables: `ls -l /path/to/xiaoheiFS/plugins/payment/`
- Check for recently modified or created files in the directory: `find /path/to/xiaoheiFS/plugins/payment/ -type f -mmin -10` (to find files modified in the last 10 minutes)
- Monitor running processes that may have been started from the plugins/payment directory: `ps aux | grep /path/to/xiaoheiFS/plugins/payment/`
- Review application logs for uploads to the AdminPaymentPluginUpload endpoint or authentication attempts using the hardcoded password.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade xiaoheiFS to version 4.0.0 or later, where this vulnerability is fixed.
If upgrading immediately is not possible, consider the following steps:
- Restrict access to the AdminPaymentPluginUpload endpoint to trusted administrators only and change any default or hardcoded passwords.
- Implement file type and content validation on uploads to prevent arbitrary executable files from being uploaded.
- Monitor and restrict execution permissions on the `plugins/payment/` directory to prevent automatic execution of uploaded files.
- Disable or modify the background watcher (`StartWatcher`) that automatically executes new files in the plugin directory.