CVE-2026-28674

Summary

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the AdminPaymentPluginUpload endpoint lets admins upload any file to plugins/payment/. It only checks a hardcoded password (qweasd123456) and ignores file content. A background watcher (StartWatcher) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
danvei233xiaoheiFS< 0.4.0affected

Weaknesses

  • CWE-434: CWE-434: Unrestricted Upload of File with Dangerous Type
  • CWE-798: CWE-798: Use of Hard-coded Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References