Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a manifest.json. The server trusts the binaries field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue.
AnalysisAI
xiaoheiFS versions up to and including 0.3.15 contain a critical remote code execution vulnerability in the plugin upload mechanism. Administrators can upload plugin ZIP files containing arbitrary binaries which the server executes without validation based on the manifest.json 'binaries' field. This allows authenticated administrators with high privileges to achieve full system compromise by uploading malicious plugin packages.
Technical ContextAI
xiaoheiFS is a self-hosted financial and operational system for cloud service businesses developed by danvei233. The vulnerability stems from improper neutralization of special elements used in a command (CWE-78, OS Command Injection). The affected product is identified via CPE cpe:2.3:a:danvei233:xiaoheifs:*:*:*:*:*:*:*:*. The plugin architecture accepts ZIP archives containing binaries and a manifest.json descriptor. The server parses the manifest's 'binaries' field and directly executes the referenced file without validating its contents, signature, or behavior. This design flaw allows arbitrary code execution in the context of the server process, typical of command injection vulnerabilities where user-controlled input is passed to system execution functions.
RemediationAI
Upgrade xiaoheiFS to version 0.4.0 or later, which contains a complete fix for the plugin execution vulnerability as documented in the GitHub security advisory at https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v. Until patching is completed, implement compensating controls including restricting plugin upload functionality to only highly trusted administrators, implementing file integrity monitoring on plugin directories, and running the xiaoheiFS service with minimal operating system privileges using principle of least privilege. Consider disabling the plugin system entirely if not required for business operations. Review existing plugins for unauthorized or suspicious binaries that may have been uploaded prior to patching.
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12700