RustFS & The PDF Trojan: Anatomy of a Critical Stored XSS
Vulnerability ID: CVE-2026-27822
CVSS Score: 9.1
Published: 2026-02-25
While the world rushes to rewrite everything in Rust to escape the nightmare of memory corruption, we are reminded that logic bugs and web vulnerabilities don't care about your borrow checker. CVE-2026-27822 is a critical Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Management Console. By exploiting the PDF preview functionality, an attacker can turn a simple file upload into a weaponized payload that executes arbitrary JavaScript in the context of an administrator's session. This isn't just a pop-up alert; it's a full administrative account takeover via localStorage exfiltration, granting total control over the distributed object storage system.
TL;DR
Critical Stored XSS in RustFS Console allowing full admin takeover via malicious PDF previews.
Technical Details
- CVE ID: CVE-2026-27822
- CVSS: 9.1 (Critical)
- CWE: CWE-79 (Stored XSS)
- Attack Vector: Network (Stored File Upload)
- Impact: Admin Account Takeover
- Affected Component: PDF Preview Logic
- EPSS Score: 0.00041
Affected Systems
- RustFS Management Console < 1.0.0-alpha.83
-
rustfs: < 1.0.0-alpha.83 (Fixed in:
1.0.0-alpha.83)
Mitigation Strategies
- Upgrade RustFS to version 1.0.0-alpha.83 immediately.
- Implement Content Security Policy (CSP) to restrict script sources.
- Switch authentication storage from localStorage to HttpOnly cookies.
Remediation Steps:
- Identify current RustFS version:
rustfs --version - Stop the running service.
- Update the binary or container image to
1.0.0-alpha.83. - Restart the service.
- Invalidate all existing administrative sessions to ensure compromised tokens are useless.
References
Read the full report for CVE-2026-27822 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)