The vulnerability allows an administrator to upload a ZIP file containing a binary and a manifest.json. The server trusts the binaries field in the manifest and executes the specified file without validating its contents or behavior, enabling an attacker to run arbitrary code on the host. This flaw effectively grants remote code execution on the underlying system, allowing a malicious actor to execute commands, tamper with data, and potentially compromise the entire self‑hosted financial platform. The weakness is a classic example of unrestricted file upload and command injection, reflected in CWE‑434 and CWE‑78, and poses a severe threat to confidentiality, integrity and availability of the affected system.

The affected product is danvei233’s xiaoheiFS, a self‑hosted financial and operational system used by cloud service providers. Versions up to and including 0.3.15 are vulnerable; the issue is resolved in version 0.4.0 and later. Administrators who can upload plugins to the xiaoheiFS instance are at risk. Users of any earlier releases should immediately plan an upgrade.

The CVSS score of 7.2 indicates a high severity impact. The EPSS score of less than 1% suggests the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. However, exploitation requires administrative access to upload a malicious plugin, meaning attackers must first compromise or have legitimate access to the system. Once authenticated, they can deploy arbitrary binaries and achieve full control of the host. Given the high severity, moderate exploitation probability, and privileged attacker requirement, organizations running affected versions should treat this as a significant risk and act promptly.