xiaoheiFS: Malicious zip file execution in plugin upload

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.2

xiaoheiFS: Malicious zip file execution in plugin upload

CVE-2026-28673

Summary

An attacker can upload a specially crafted zip file to execute arbitrary code on the server, potentially allowing them to take control of the system. This affects all versions of xiaoheiFS up to 0.3.15. Upgrade to version 0.4.0 or later to fix the issue.

Original title

Original description

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the `binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue.

nvd CVSS3.1 7.2

Vulnerability type

CWE-78 OS Command Injection

CWE-434 Unrestricted File Upload

https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v

Published: 18 Mar 2026 · Updated: 18 Mar 2026 · First seen: 18 Mar 2026