CVE-2026-28674 - Vulnerability Details

- xiaoheiFS Vulnerable to RCE via Arbitrary Payment Plugin Upload (Automatic Execution)

Description

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.

Published: 2026-03-18

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability permits an administrator to upload any file through the AdminPaymentPluginUpload endpoint, without validating file type or content beyond checking a hard‑coded password (qweasd123456). When an executable file is placed in the plugins/payment directory, a background watcher automatically detects and runs it, giving attackers the ability to execute arbitrary code on the server. The flaw is an unrestricted file upload coupled with hard‑coded credentials, reflected by CWE-434 and CWE-798.

Affected Systems

The affected product is xiaoheiFS, a self‑hosted financial and operational system used by cloud service businesses, developed by danvei233. All releases up to and including version 0.3.15 are vulnerable. The information in the advisory states that version 4.0.0 contains the fix.

Risk and Exploitability

The CVSS score of 7.2 indicates a moderate to high severity, while the EPSS score of less than 1% suggests that exploitation is unlikely in the near term. The vulnerability is not listed in the CISA KEV catalog. An attacker who has obtained the hard‑coded password can simply upload a malicious executable; the system will immediately execute it with system privileges, without the need for additional network or privilege escalation steps. The attack path is therefore straightforward, making the risk significant for any compromised or exposed account.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

danvei233

xiaoheiFS

affected

Version	Status	Constraints
`< 0.4.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:danvei233:xiaoheifs:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Danvei233

Xiaoheifs

100%

Version	Status	Scheme	Platform
`[0,0.4.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade xiaoheiFS to version 4.0.0 or later.
Disable the AdminPaymentPluginUpload endpoint or remove the hard‑coded password check if an upgrade cannot be performed immediately.
Restrict the plugins/payment directory to reject executable uploads and set file permissions to prevent execution.

Generated by OpenCVE AI on March 23, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00047.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p

History

Mon, 23 Mar 2026 18:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:danvei233:xiaoheifs::::::::

Wed, 18 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 18 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Danvei233 Danvei233 xiaoheifs
Vendors & Products		Danvei233 Danvei233 xiaoheifs

Wed, 18 Mar 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.
Title		xiaoheiFS Vulnerable to RCE via Arbitrary Payment Plugin Upload (Automatic Execution)
Weaknesses		CWE-434 CWE-798
References		https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Danvei233 Xiaoheifs

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-18T00:48:39.652Z

Updated: 2026-03-18T14:34:00.955Z

Reserved: 2026-03-02T21:43:19.926Z

Link: CVE-2026-28674

Vulnrichment

Updated: 2026-03-18T14:33:49.730Z

NVD

Status : Analyzed

Published: 2026-03-18T01:16:05.280

Modified: 2026-03-23T17:57:34.633

Link: CVE-2026-28674

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-24T10:53:51Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object