xiaoheiFS, a self-hosted financial and operational system for cloud service businesses, contains a critical remote code execution vulnerability in versions up to 0.3.15. The AdminPaymentPluginUpload endpoint allows admins to upload any file using only a hardcoded password (qweasd123456) without content validation. A background watcher process automatically executes any new executable files found in the plugins/payment/ directory every 5 seconds, leading to immediate RCE. This represents a severe security flaw combining weak authentication with automatic code execution. The vulnerability has been patched in version 4.0.0.