GHSA-868x-cwwh-grm3MediumCVSS 5.4

Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing,...

Published
July 13, 2026
Last Modified
July 13, 2026

🔗 CVE IDs covered (1)

📋 Description

Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing, and this listing can be forced by any browser via the ?get=basic parameter. A user with upload permission - or an anonymous user on servers with an open upload folder - can store a file whose name contains script that executes in the browser of anyone viewing the listing.

🔗 References (4)