Vendor
A remote attacker can exploit a critical vulnerability, CVE-2026-61500, in Rejetto HFS versions 3.0.0 through 3.2.0 by recovering the session-cookie signing key due to poor randomness, forging an administrator session, and achieving remote code execution.