CVE-2026-28674
Published: 18 March 2026
Summary
CVE-2026-28674 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Danvei233 Xiaoheifs. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of file content and type at the AdminPaymentPluginUpload endpoint to prevent unrestricted upload of dangerous executables.
Prohibits or restricts user-installed software, preventing admins from uploading and installing arbitrary executables to the plugins/payment directory.
Deploys malicious code protection to scan the plugins/payment directory and block automatic execution of newly uploaded executables by StartWatcher.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE in public-facing AdminPaymentPluginUpload endpoint via unrestricted file upload (T1190) that is auto-executed by StartWatcher; hardcoded password enables use of valid admin accounts (T1078); arbitrary upload directly facilitates ingress of malicious payloads (T1105).
NVD Description
xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content.…
more
A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.
Deeper analysisAI
CVE-2026-28674 is a remote code execution (RCE) vulnerability in xiaoheiFS, a self-hosted financial and operational system for cloud service businesses. Affecting versions up to and including 0.3.15, the issue resides in the `AdminPaymentPluginUpload` endpoint, which allows administrators to upload arbitrary files to the `plugins/payment/` directory. Authentication relies solely on a hardcoded password (`qweasd123456`), with no validation of file contents. A background process, `StartWatcher`, scans this directory every 5 seconds and automatically executes any new executable files found, enabling RCE. The vulnerability is rated 7.2 on the CVSS v3.1 scale (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-798 (Use of Hard-coded Credentials).
Exploitation requires high privileges (PR:H), specifically administrative access to the endpoint over the network with low complexity and no user interaction. An attacker with admin credentials can upload a malicious executable file to the `plugins/payment/` directory, which the `StartWatcher` will detect and run within seconds, granting full remote code execution on the server. This achieves high impacts on confidentiality, integrity, and availability.
The GitHub security advisory (GHSA-hcj4-gfvq-qv4p) for the xiaoheiFS repository confirms that version 4.0.0 resolves the vulnerability by addressing the insecure upload and execution mechanisms. Security practitioners should upgrade to version 4.0.0 or later and review access to admin endpoints, especially in self-hosted environments handling financial data.
Details
- CWE(s)