Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Mon, 13 Jul 2026 18:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check. A remote attacker can perform administrative actions including account creation and configuration changes leading to code execution - by causing a logged-in administrator's browser to navigate to a crafted URL, or without any credentials against default installations when the attack originates from the server's own machine. | |
| Title | Rejetto HFS < 3.2.1 Cross-Site Request Forgery via GET Requests | |
| Weaknesses | CWE-352 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-13T17:22:59.734Z
Reserved: 2026-07-10T15:43:36.625Z
Link: CVE-2026-61502
No data.
No data.
No data.
OpenCVE Enrichment
No data.