CVE-2026-61504
MEDIUM
NVD
CVSS Score
5.4
Severity
MEDIUM
Published
Jul 13, 2026
Vendor
unknown
Description
Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing, and this listing can be forced by any browser via the ?get=basic parameter. A user with upload permission - or an anonymous user on servers with an open upload folder - can store a file whose name contains script that executes in the browser of anyone viewing the listing.