CVE-2026-61502: Cross-Site Request Forgery (CSRF) in rejetto hfs
Rejetto HFS versions 3.0.0 through 3.2.0 are vulnerable to a Cross-Site Request Forgery (CSRF) attack due to accepting state-changing API requests via the GET method without enforcing anti-CSRF header checks on these requests. This allows a remote attacker to perform administrative actions, including account creation and configuration changes, potentially leading to code execution. The attack can be executed by tricking a logged-in administrator into visiting a crafted URL or, in default installations, without credentials if the attack originates from the server's own machine.
AI Analysis
Technical Summary
Rejetto HFS versions 3.0.0 through 3.2.0 accept state-changing API requests via the GET method and exempt these GET requests from anti-CSRF header validation. This design flaw enables remote attackers to perform unauthorized administrative actions by causing a logged-in administrator's browser to access a maliciously crafted URL. Additionally, on default installations, attackers originating from the server's local machine can exploit this vulnerability without any credentials. These actions include account creation and configuration changes that may lead to remote code execution.
Potential Impact
An attacker can perform unauthorized administrative actions remotely, including creating accounts and modifying configurations. This can escalate to code execution on the affected system. The vulnerability affects authenticated administrators via CSRF and unauthenticated attackers on default installations from the server's local machine, increasing the risk of compromise.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the administrative interface, avoid using default installations without additional protections, and educate administrators to avoid clicking untrusted links while logged in. Monitor for updates from the vendor regarding patches or official mitigations.
CVE-2026-61502: Cross-Site Request Forgery (CSRF) in rejetto hfs
Description
Rejetto HFS versions 3.0.0 through 3.2.0 are vulnerable to a Cross-Site Request Forgery (CSRF) attack due to accepting state-changing API requests via the GET method without enforcing anti-CSRF header checks on these requests. This allows a remote attacker to perform administrative actions, including account creation and configuration changes, potentially leading to code execution. The attack can be executed by tricking a logged-in administrator into visiting a crafted URL or, in default installations, without credentials if the attack originates from the server's own machine.
CVSS v4.0
Score 5.1medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Rejetto HFS versions 3.0.0 through 3.2.0 accept state-changing API requests via the GET method and exempt these GET requests from anti-CSRF header validation. This design flaw enables remote attackers to perform unauthorized administrative actions by causing a logged-in administrator's browser to access a maliciously crafted URL. Additionally, on default installations, attackers originating from the server's local machine can exploit this vulnerability without any credentials. These actions include account creation and configuration changes that may lead to remote code execution.
Potential Impact
An attacker can perform unauthorized administrative actions remotely, including creating accounts and modifying configurations. This can escalate to code execution on the affected system. The vulnerability affects authenticated administrators via CSRF and unauthenticated attackers on default installations from the server's local machine, increasing the risk of compromise.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the administrative interface, avoid using default installations without additional protections, and educate administrators to avoid clicking untrusted links while logged in. Monitor for updates from the vendor regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-07-10T15:43:36.625Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a55288d68715ace4399fcdb
Added to database: 07/13/2026, 18:03:57 UTC
Last enriched: 07/13/2026, 18:18:38 UTC
Last updated: 07/14/2026, 03:45:52 UTC
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.