Cyber Resilience

CVE-2026-28674

HighPublic PoC

Published: 18 March 2026

Published
18 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0007 22.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28674 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Danvei233 Xiaoheifs. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28674 is a remote code execution (RCE) vulnerability in xiaoheiFS, a self-hosted financial and operational system for cloud service businesses. Affecting versions up to and including 0.3.15, the issue resides in the `AdminPaymentPluginUpload` endpoint, which allows administrators to upload arbitrary files to the `plugins/payment/` directory. Authentication relies solely on a hardcoded password (`qweasd123456`), with no validation of file contents. A background process, `StartWatcher`, scans this directory every 5 seconds and automatically executes any new executable files found, enabling RCE. The vulnerability is rated 7.2 on the CVSS v3.1 scale (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-798 (Use of Hard-coded Credentials).

Exploitation requires high privileges (PR:H), specifically administrative access to the endpoint over the network with low complexity and no user interaction. An attacker with admin credentials can upload a malicious executable file to the `plugins/payment/` directory, which the `StartWatcher` will detect and run within seconds, granting full remote code execution on the server. This achieves high impacts on confidentiality, integrity, and availability.

The GitHub security advisory (GHSA-hcj4-gfvq-qv4p) for the xiaoheiFS repository confirms that version 4.0.0 resolves the vulnerability by addressing the insecure upload and execution mechanisms. Security practitioners should upgrade to version 4.0.0 or later and review access to admin endpoints, especially in self-hosted environments handling financial data.

EU & UK References

Vulnerability details

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content.…

more

A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

RCE in public-facing AdminPaymentPluginUpload endpoint via unrestricted file upload (T1190) that is auto-executed by StartWatcher; hardcoded password enables use of valid admin accounts (T1078); arbitrary upload directly facilitates ingress of malicious payloads (T1105).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28673Same product: Danvei233 Xiaoheifs
CVE-2025-8857Shared CWE-798
CVE-2025-37103Shared CWE-798
CVE-2026-2269Shared CWE-434
CVE-2025-25783Shared CWE-434
CVE-2025-27683Shared CWE-434
CVE-2025-1393Shared CWE-798
CVE-2025-2538Shared CWE-798
CVE-2024-41340Shared CWE-434
CVE-2025-6207Shared CWE-434

Affected Assets

danvei233
xiaoheifs
≤ 0.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of file content and type at the AdminPaymentPluginUpload endpoint to prevent unrestricted upload of dangerous executables.

prevent

Prohibits or restricts user-installed software, preventing admins from uploading and installing arbitrary executables to the plugins/payment directory.

preventdetect

Deploys malicious code protection to scan the plugins/payment directory and block automatic execution of newly uploaded executables by StartWatcher.

References