CVE-2026-27822

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-27822

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27822.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-27822

Aliases

GHSA-v9fg-3cr2-277j

Published

2026-02-25T02:11:57.535Z

Modified

2026-02-26T02:34:48.177483Z

Severity

9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover

Details

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an attacker can steal administrator credentials from localStorage, leading to full account takeover and system compromise. Version 1.0.0-alpha.83 fixes the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27822.json"
}

References

Affected packages

Git / github.com/rustfs/rustfs

Affected ranges

Type

GIT

Repo

https://github.com/rustfs/rustfs

Events

Introduced

Fixed

9824171995b58da071c18b5243299bc69e6ec4a7

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.0-alpha.83"
        }
    ]
}

Affected versions

1.*

1.0.0-alpha.1

1.0.0-alpha.10

1.0.0-alpha.11

1.0.0-alpha.12

1.0.0-alpha.13

1.0.0-alpha.14

1.0.0-alpha.15

1.0.0-alpha.16

1.0.0-alpha.17

1.0.0-alpha.18

1.0.0-alpha.19

1.0.0-alpha.2

1.0.0-alpha.20

1.0.0-alpha.21

1.0.0-alpha.22

1.0.0-alpha.23

1.0.0-alpha.24

1.0.0-alpha.25

1.0.0-alpha.26

1.0.0-alpha.27

1.0.0-alpha.28

1.0.0-alpha.29

1.0.0-alpha.3

1.0.0-alpha.30

1.0.0-alpha.31

1.0.0-alpha.32

1.0.0-alpha.33

1.0.0-alpha.34

1.0.0-alpha.35

1.0.0-alpha.36

1.0.0-alpha.37

1.0.0-alpha.38

1.0.0-alpha.39

1.0.0-alpha.4

1.0.0-alpha.40

1.0.0-alpha.41

1.0.0-alpha.42

1.0.0-alpha.43

1.0.0-alpha.44

1.0.0-alpha.45

1.0.0-alpha.46

1.0.0-alpha.47

1.0.0-alpha.48

1.0.0-alpha.49

1.0.0-alpha.5

1.0.0-alpha.50

1.0.0-alpha.51

1.0.0-alpha.52

1.0.0-alpha.53

1.0.0-alpha.54

1.0.0-alpha.55

1.0.0-alpha.56

1.0.0-alpha.57

1.0.0-alpha.58

1.0.0-alpha.59

1.0.0-alpha.6

1.0.0-alpha.60

1.0.0-alpha.61

1.0.0-alpha.62

1.0.0-alpha.63

1.0.0-alpha.64

1.0.0-alpha.65

1.0.0-alpha.66

1.0.0-alpha.67

1.0.0-alpha.68

1.0.0-alpha.69

1.0.0-alpha.7

1.0.0-alpha.70

1.0.0-alpha.71

1.0.0-alpha.72

1.0.0-alpha.73

1.0.0-alpha.74

1.0.0-alpha.75

1.0.0-alpha.76

1.0.0-alpha.77

1.0.0-alpha.78

1.0.0-alpha.79

1.0.0-alpha.8

1.0.0-alpha.80

1.0.0-alpha.81

1.0.0-alpha.82

1.0.0-alpha.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27822.json"