Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.

Threat Intelligence Database

Comprehensive database of the latest cyber threats affecting organizations worldwide. Filter and search to find specific threat intelligence relevant to your organization.

Pro Console Lifetime

Stop chasing alerts. Route them.

Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.

Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)

View Plans & Pricing

API access activates after upgrading in Console -> Billing.

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now

Filter Threats

Narrow down the results by type, severity, or affected countries

Search threats by title, CVE ID, or description. Maximum 100 characters.

Threat Intelligence

Click on any threat for detailed analysis and mitigation recommendations

CVE-2026-61505: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in rejetto hfsCVE-2026-61505
0

Rejetto HFS 3.0.0 through 3.2.0 allows path traversal through the lang query parameter, permitting a remote unauthenticated attacker to read certain JSON files outside the shared folders. Exploitation is constrained to files matching a narrow naming and format pattern, limiting practical impact.

Join the discussion
CVE-2026-61504: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in rejetto hfsCVE-2026-61504
0

Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing, and this listing can be forced by any browser via the ?get=basic parameter. A user with upload permission - or an anonymous user on servers with an open upload folder - can store a file whose name contains script that executes in the browser of anyone viewing the listing.

Join the discussion
CVE-2026-61503: Observable Response Discrepancy in rejetto hfsCVE-2026-61503
0

Rejetto HFS versions 3.0.0 through 3.2.0 have a vulnerability where the login endpoint returns different responses depending on whether a submitted username exists. This allows a remote unauthenticated attacker to confirm valid account names, including the default admin account, which can facilitate further attacks such as password guessing and session forgery. The vulnerability has a medium severity with a CVSS score of 6.9. No official patch or remediation guidance is currently provided by the vendor.

Join the discussion
CVE-2026-61502: Cross-Site Request Forgery (CSRF) in rejetto hfsCVE-2026-61502
0

Rejetto HFS versions 3.0.0 through 3.2.0 are vulnerable to a Cross-Site Request Forgery (CSRF) attack due to accepting state-changing API requests via the GET method without enforcing anti-CSRF header checks on these requests. This allows a remote attacker to perform administrative actions, including account creation and configuration changes, potentially leading to code execution. The attack can be executed by tricking a logged-in administrator into visiting a crafted URL or, in default installations, without credentials if the attack originates from the server's own machine.

Join the discussion
CVE-2026-61501: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in rejetto hfsCVE-2026-61501
0

Rejetto HFS versions 3.0.0 through 3.2.0 have a cross-site scripting (XSS) vulnerability in the administration panel. The software renders log entries as HTML without sanitization, allowing a remote unauthenticated attacker to inject malicious JavaScript via a crafted username in failed login attempts. When an administrator views the logs, the injected script executes, potentially enabling account creation or code execution with administrator privileges. The vulnerability has a medium severity rating and a CVSS score of 5.3.

Join the discussion
CVE-2026-61500: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in rejetto hfsCVE-2026-61500
0

Rejetto HFS versions 3.0.0 through 3.2.0 use a cryptographically weak pseudo-random number generator (Math.random()) to derive session-cookie signing keys and disclose outputs of this generator to unauthenticated clients during login. This weakness allows a remote attacker to reconstruct the generator's state, recover the signing key, and forge valid administrator session cookies. Successful exploitation leads to full administrative access and remote code execution via the server_code configuration feature.

Join the discussion

Showing 1 to 6 of 6 results

Page 1 of 1
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses