Main Vulnerability Database Vulnerabilities #VU127491

Reverse Tabnabbing in HFS - #VU127491

Published: April 24, 2026

Vulnerability identifier: #VU127491

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-1022

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: rejetto

Affected software:
HFS

Detailed vulnerability description

The vulnerability allows a remote attacker to conduct phishing attacks.

The vulnerability exists due to use of web link to untrusted target with window.opener access in the HFS web link feature when opening an added external web link in a new tab. A remote attacker can compromise or control the linked external page to replace the original HFS tab with a phishing page to conduct phishing attacks.

Only users on browsers without the browser-level protection remain vulnerable.

Remediation

Install security update from vendor's website.

Sources

https://github.com/rejetto/hfs/security/advisories/GHSA-xcxh-6cv4-q8p8

Reverse Tabnabbing in HFS - #VU127491

Detailed vulnerability description

Remediation

Sources

Please verify you're human