CVE-2026-28673
Published: 18 March 2026
Summary
CVE-2026-28673 is a high-severity OS Command Injection (CWE-78) vulnerability in Danvei233 Xiaoheifs. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of uploaded plugin ZIP contents and manifest fields to prevent trusting unverified binaries leading to RCE.
Enforces integrity verification of plugin binaries prior to execution, mitigating unvalidated code execution specified in the manifest.
Deploys malicious code scanning on plugin uploads at system entry points to detect and block malicious binaries before execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via unauthenticated plugin binary upload/execution on a remotely accessible self-hosted web app directly maps to T1190 (Exploit Public-Facing Application) for initial remote exploitation and T1105 (Ingress Tool Transfer) for delivery of the malicious ZIP/binary that the server then executes.
NVD Description
xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the…
more
`binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue.
Deeper analysisAI
CVE-2026-28673 is a remote code execution (RCE) vulnerability in xiaoheiFS, a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows administrators to upload a ZIP file containing a binary executable and a manifest.json file. The server trusts the "binaries" field specified in the manifest.json without validating the file's contents or behavior, directly executing the uploaded binary and enabling RCE. The issue is associated with CWE-78 and CWE-434, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires high privileges (PR:H), meaning an attacker must already possess administrative access to the xiaoheiFS instance. With admin rights, the attacker can upload a malicious ZIP archive via the plugin system over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants RCE on the server under the context of the xiaoheiFS process, allowing high-impact compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) without changing scope (S:U).
The GitHub security advisory (GHSA-4vw4-5wmh-7x4v) confirms the vulnerability and states that xiaoheiFS version 0.4.0 resolves the issue through proper validation of plugin binaries. Security practitioners should upgrade to version 0.4.0 or later and review admin access controls to mitigate risk.
Details
- CWE(s)