CVE-2026-27822
Published: 25 February 2026
Summary
CVE-2026-27822 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Rustfs Rustfs. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, and correction of the stored XSS flaw, including patching to the fixed version 1.0.0-alpha.83.
Prevents injection of malicious XSS payloads by low-privilege attackers through validation of inputs to the RustFS Console.
Blocks execution of stored XSS payloads during rendering, such as in the PDF preview logic, by filtering console outputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables exploitation for credential access (stealing localStorage admin credentials via injected JS) and privilege escalation (account takeover from low-priv to full admin/system control).
NVD Description
RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing…
more
the PDF preview logic, an attacker can steal administrator credentials from `localStorage`, leading to full account takeover and system compromise. Version 1.0.0-alpha.83 fixes the issue.
Deeper analysisAI
CVE-2026-27822 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting the RustFS Console in RustFS, a distributed object storage system built in Rust. The flaw exists in versions prior to 1.0.0-alpha.83, where improper handling allows stored malicious payloads. It has a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to high confidentiality, integrity, and availability impacts with changed scope.
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) by injecting a payload that bypasses the PDF preview logic in the console. This requires user interaction (UI:R), such as an administrator viewing the malicious content, enabling arbitrary JavaScript execution in the management console's context. The attacker can then steal administrator credentials stored in localStorage, resulting in full account takeover and potential complete system compromise.
The GitHub Security Advisory at https://github.com/rustfs/rustfs/security/advisories/GHSA-v9fg-3cr2-277j details the issue, confirming that upgrading to version 1.0.0-alpha.83 resolves the vulnerability by addressing the PDF preview bypass and XSS handling. Security practitioners should prioritize patching affected RustFS deployments and review console access controls to mitigate risks from privileged users.
Details
- CWE(s)