CVE-2026-28674 | THREATINT

Description

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.

PUBLISHED Reserved 2026-03-02 | Published 2026-03-18 | Updated 2026-03-18 | Assigner GitHub_M

HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-434: Unrestricted Upload of File with Dangerous Type

CWE-798: Use of Hard-coded Credentials

Product status

< 0.4.0

affected

References

github.com/...oheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p exploit

github.com/...oheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p

cve.org (CVE-2026-28674)

nvd.nist.gov (CVE-2026-28674)

Download JSON