Skip to main content

RustFS Console CVE-2026-62378

CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-07-15 GitHub_M
9.0
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
9.0 CRITICAL

Requires an authenticated uploader (PR:L) and an admin to open the preview (UI:R); script runs in the console origin stealing admin credentials, causing a scope change (S:C) and full storage compromise.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 17:16 vuln.today
Analysis Generated
Jul 15, 2026 - 17:16 vuln.today
CVE Published
Jul 15, 2026 - 16:50 cve.org
CRITICAL 9.0

DescriptionCVE.org

RustFS Console is a web management console for the RustFS distributed file system. From 0.1.7 until 0.1.10, the RustFS Console components/object/preview-modal.tsx and components/object/pdf-viewer.tsx extension-based PDF preview path can render HTML content uploaded as .pdf, allowing stored cross-site scripting in the management console and exposure of administrator AccessKeyId, SecretAccessKey, and SessionToken values. This is caused by a regression of CVE-2026-27822. This vulnerability is fixed in 0.1.10.

AnalysisAI

Stored cross-site scripting in RustFS Console (0.1.7 through 0.1.9) lets an attacker upload an HTML payload disguised as a .pdf file that executes when an administrator previews it, exfiltrating the console's AccessKeyId, SecretAccessKey, and SessionToken. The flaw is a regression of the previously patched CVE-2026-27822 and stems from the PDF preview path trusting the .pdf filename extension rather than the actual content type. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with upload access
Delivery
Upload HTML payload named .pdf
Exploit
Admin opens object preview
Execution
Script executes in console origin
Persist
Steal Access/Secret/Session keys
Impact
Assume admin control of storage

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) an account with permission to upload/store an object into a bucket viewable in the console (PR:L authenticated per the CVSS vector), (2) the ability to name that object with a .pdf extension while its bytes are HTML/JavaScript, and (3) a RustFS Console administrator subsequently opening that object in the object preview modal (UI:R - the preview click is the trigger). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H, base 9.0) reflects a network-reachable, low-complexity attack that requires some privilege (PR:L - an authenticated account able to upload objects) and victim interaction (UI:R - an admin must open the preview), with a scope change (S:C) because script executing in the admin's browser can steal the admin's storage credentials and thereby compromise the wider storage system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with an account permitted to upload objects stores a file named report.pdf whose contents are actually HTML with an embedded script. When a RustFS administrator opens that object in the console's preview modal, the extension-based logic routes it to the PDF viewer, the script runs in the console origin, and it harvests the admin's AccessKeyId, SecretAccessKey, and SessionToken. …
Remediation Vendor-released patch: upgrade RustFS Console to v0.1.10, which changes isPdfPreview() to key exclusively on contentType === 'application/pdf' and no longer trusts the .pdf filename extension (commit 49630dc). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all deployed RustFS Console instances and their versions; immediately disable file upload and preview functionality for versions 0.1.7-0.1.9. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-62378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy