Skip to main content

Xiaoheifs EUVDEUVD-2026-12700

| CVE-2026-28673 HIGH
OS Command Injection (CWE-78)
2026-03-18 GitHub_M
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:21 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
0.4.0
EUVD ID Assigned
Mar 18, 2026 - 01:00 euvd
EUVD-2026-12700
Analysis Generated
Mar 18, 2026 - 01:00 vuln.today
CVE Published
Mar 18, 2026 - 00:41 nvd
HIGH 7.2

DescriptionGitHub Advisory

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a manifest.json. The server trusts the binaries field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue.

AnalysisAI

xiaoheiFS versions up to and including 0.3.15 contain a critical remote code execution vulnerability in the plugin upload mechanism. Administrators can upload plugin ZIP files containing arbitrary binaries which the server executes without validation based on the manifest.json 'binaries' field. This allows authenticated administrators with high privileges to achieve full system compromise by uploading malicious plugin packages.

Technical ContextAI

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses developed by danvei233. The vulnerability stems from improper neutralization of special elements used in a command (CWE-78, OS Command Injection). The affected product is identified via CPE cpe:2.3:a:danvei233:xiaoheifs:*:*:*:*:*:*:*:*. The plugin architecture accepts ZIP archives containing binaries and a manifest.json descriptor. The server parses the manifest's 'binaries' field and directly executes the referenced file without validating its contents, signature, or behavior. This design flaw allows arbitrary code execution in the context of the server process, typical of command injection vulnerabilities where user-controlled input is passed to system execution functions.

RemediationAI

Upgrade xiaoheiFS to version 0.4.0 or later, which contains a complete fix for the plugin execution vulnerability as documented in the GitHub security advisory at https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v. Until patching is completed, implement compensating controls including restricting plugin upload functionality to only highly trusted administrators, implementing file integrity monitoring on plugin directories, and running the xiaoheiFS service with minimal operating system privileges using principle of least privilege. Consider disabling the plugin system entirely if not required for business operations. Review existing plugins for unauthorized or suspicious binaries that may have been uploaded prior to patching.

Share

EUVD-2026-12700 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy