xiaoheiFS Admins Can Run Any File on Their Servers

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.2

xiaoheiFS Admins Can Run Any File on Their Servers

CVE-2026-28674

Summary

A security weakness in xiaoheiFS versions up to 0.3.15 lets system administrators upload and run any file on their servers. This could allow an attacker to take control of the server. Update to version 4.0.0 or later to fix the issue.

Original title

Original description

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.

nvd CVSS3.1 7.2

Vulnerability type

CWE-434 Unrestricted File Upload

CWE-798 Use of Hard-coded Credentials

https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p

Published: 18 Mar 2026 · Updated: 18 Mar 2026 · First seen: 18 Mar 2026