Stored Cross-Site Scripting Vulnerability in RustFS Console from Rust
CVE-2026-27822

9.1CRITICAL

Key Information:

Vendor

Rustfs

Status
Rustfs
Vendor
CVE Published:
25 February 2026

What is CVE-2026-27822?

CVE-2026-27822 is a significant vulnerability found in the RustFS Console, a management interface for the RustFS distributed object storage system. RustFS is designed to facilitate efficient and scalable cloud storage solutions, making it an integral product for organizations looking to manage large sets of data. The vulnerability in question is a Stored Cross-Site Scripting (XSS) flaw, present in versions prior to 1.0.0-alpha.83. This XSS vulnerability permits an attacker to inject and execute arbitrary JavaScript code within the context of the RustFS management console. As a result, the attacker could potentially gain unauthorized access to sensitive information, such as administrator credentials stored in localStorage. Full account takeover becomes a distinct risk, placing entire organizational systems in jeopardy.

Potential Impact of CVE-2026-27822

  1. Account Takeover: The ability to execute arbitrary JavaScript in the management console can lead directly to the compromise of administrator accounts. This can allow attackers to manipulate, delete, or steal critical data stored within the RustFS system.

  2. Data Breaches: Exploitation of this vulnerability may lead to unauthorized access to sensitive information. If an attacker gains control of storage systems, it could result in significant data breaches, impacting both organizational integrity and regulatory compliance.

  3. System Compromise: The presence of a Stored XSS vulnerability can facilitate further attacks, as attackers could not only steal information but also deploy malware within the organization’s infrastructure. This can lead to broader system compromise and potential disruptions to business operations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

rustfs < 1.0.0-alpha.83

References

https://github.com/rustfs/rustfs/security/advisories/GHSA...
x_refsource_CONFIRM

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.