Critical severityNVD Advisory· Published Feb 25, 2026· Updated Feb 25, 2026
Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover
CVE-2026-27822
Description
RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an attacker can steal administrator credentials from localStorage, leading to full account takeover and system compromise. Version 1.0.0-alpha.83 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rustfscrates.io | < 1.0.0-alpha.83 | 1.0.0-alpha.83 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-v9fg-3cr2-277jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27822ghsaADVISORY
- github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.83ghsaWEB
- github.com/rustfs/rustfs/security/advisories/GHSA-v9fg-3cr2-277jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.