Executive Summary

CVE-2026-28674 is a high-severity remote code execution (RCE) vulnerability in the xiaoheiFS project versions up to 0.3.15. It occurs because the AdminPaymentPluginUpload endpoint allows authenticated administrators to upload any file to the plugins/payment/ directory by only verifying a hardcoded password (qweasd123456) without checking the file type or content.

A background watcher function scans this directory every 5 seconds and immediately executes any new executable files it finds. This means an attacker with admin privileges can upload a malicious executable that will be run automatically, leading to remote code execution on the server.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with admin privileges to execute arbitrary code remotely on the affected server. This can lead to full compromise of the system, including unauthorized access to sensitive data, modification or deletion of data, and disruption of service availability.

Because the attacker can run any executable, they could install backdoors, steal confidential information, or disrupt operations, severely impacting confidentiality, integrity, and availability of the system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the presence of unauthorized or suspicious executable files in the `plugins/payment/` directory of the xiaoheiFS installation, especially if the system is running a version up to 0.3.15.

Since the vulnerability involves a background watcher that executes any new executable files in that directory every 5 seconds, detection can include checking for unexpected files and monitoring process executions triggered from this directory.

• List files in the plugins/payment directory to identify suspicious executables: `ls -l /path/to/xiaoheiFS/plugins/payment/`
• Check for recently modified or created files in the directory: `find /path/to/xiaoheiFS/plugins/payment/ -type f -mmin -10` (to find files modified in the last 10 minutes)
• Monitor running processes that may have been started from the plugins/payment directory: `ps aux | grep /path/to/xiaoheiFS/plugins/payment/`
• Review application logs for uploads to the AdminPaymentPluginUpload endpoint or authentication attempts using the hardcoded password.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to upgrade xiaoheiFS to version 4.0.0 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, consider the following steps:

• Restrict access to the AdminPaymentPluginUpload endpoint to trusted administrators only and change any default or hardcoded passwords.
• Implement file type and content validation on uploads to prevent arbitrary executable files from being uploaded.
• Monitor and restrict execution permissions on the `plugins/payment/` directory to prevent automatic execution of uploaded files.
• Disable or modify the background watcher (`StartWatcher`) that automatically executes new files in the plugin directory.

Useful 0 Not Useful 0