Plattform
rust
Komponente
rustfs
Behoben in
1.0.1
1.0.0-alpha.83
A critical Stored Cross-Site Scripting (XSS) vulnerability exists within the RustFS Console, allowing attackers to execute arbitrary JavaScript. This vulnerability stems from improper validation during the file preview process, potentially leading to the theft of administrator credentials stored in localStorage. Affected versions are those prior to 1.0.0-alpha.83, and a fix is available in version 1.0.0-alpha.83.
The impact of this XSS vulnerability is severe. An attacker can exploit it to inject malicious JavaScript code into the RustFS Console, which will then be executed in the context of a user's browser. This allows the attacker to steal sensitive information, such as administrator credentials stored in localStorage. Successful exploitation grants the attacker full account takeover, enabling them to access and manipulate data, potentially compromising the entire system. The lack of origin separation between S3 object delivery and the management console exacerbates the risk, making it easier for attackers to inject malicious payloads.
CVE-2026-27822 was publicly disclosed on 2026-02-25. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's severity and the potential for account takeover suggest a high likelihood of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, given the XSS nature, warrants careful monitoring and proactive mitigation.
Organizations utilizing RustFS Console for file storage and management are at risk, particularly those relying on the console for administrative tasks. Environments with shared hosting configurations or legacy RustFS Console deployments are especially vulnerable due to potentially outdated security practices and unpatched systems.
• rust: Examine RustFS Console logs for unusual file preview requests or JavaScript execution attempts.
• generic web: Use curl to test file preview endpoints with specially crafted payloads designed to trigger XSS.
curl -X POST -d 'payload=<script>alert(1)</script>' <rustfs_console_preview_url>• generic web: Review access and error logs for patterns indicative of XSS attempts, such as requests containing <script> tags or other suspicious characters.
• generic web: Check response headers for unexpected content types or other anomalies that might indicate a successful XSS attack.
disclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27822 is to immediately upgrade to RustFS Console version 1.0.0-alpha.83 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block suspicious JavaScript payloads targeting the file preview endpoint. Additionally, review and strengthen the security of your localStorage implementation to minimize the impact of credential theft. Regularly monitor RustFS Console logs for any unusual activity or attempts to exploit the vulnerability.
Aktualisieren Sie RustFS auf Version 1.0.0-alpha.83 oder höher. Diese Version behebt die Stored XSS-Schwachstelle im Vorschau-Modal, wodurch eine mögliche Übernahme des Administratorkontos verhindert wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27822 is a critical Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console that allows attackers to execute JavaScript and potentially steal administrator credentials.
You are affected if you are using RustFS Console versions prior to 1.0.0-alpha.83. Assess your environment immediately to determine if you are vulnerable.
Upgrade to RustFS Console version 1.0.0-alpha.83 or later. As a temporary workaround, implement a WAF to block suspicious file preview requests.
While no active exploitation has been publicly confirmed, the high severity of the vulnerability suggests a potential for exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official RustFS security advisory for detailed information and updates regarding CVE-2026-27822.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Cargo.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.