PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-62378 rustfs CVE debrief

A critical stored cross-site scripting vulnerability exists in RustFS Console versions 0.1.7 through 0.1.10. The issue arises from the improper handling of HTML content in .pdf files, enabling an attacker to upload malicious .pdf files that can execute JavaScript code when viewed. This vulnerability, caused by a regression of CVE-2026-27822, exposes sensitive information such as administrator AccessKeyId, SecretAccessKey, and SessionToken values. The vulnerability has been fixed in version 0.1.10.

Vendor
rustfs
Product
console
CVSS
CRITICAL 9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-16
Advisory published
2026-07-15
Advisory updated
2026-07-16

Who should care

Administrators and users of RustFS Console versions 0.1.7 through 0.1.9 should prioritize upgrading to version 0.1.10 to mitigate this critical vulnerability. Security teams should review their inventory of RustFS Console instances and ensure that all affected versions are patched. Additionally, monitoring for suspicious .pdf file uploads and implementing compensating controls, such as restricting file upload types and validating user input, can help reduce the risk of exploitation.

Technical summary

The RustFS Console, a web management console for the RustFS distributed file system, is vulnerable to stored cross-site scripting (XSS) attacks. Specifically, the components/object/preview-modal.tsx and components/object/pdf-viewer.tsx files are affected by an extension-based PDF preview path that can render HTML content uploaded as .pdf files. This allows an attacker to store malicious JavaScript code, which can be executed when an administrator views the .pdf file. The vulnerability is a result of a regression of CVE-2026-27822 and has been assigned a CVSS score of 9, indicating critical severity.

Defensive priority

High

Recommended defensive actions

  • Upgrade RustFS Console to version 0.1.10 or later
  • Review and restrict file upload types to prevent malicious .pdf files
  • Validate user input to prevent XSS attacks
  • Monitor for suspicious .pdf file uploads and implement compensating controls
  • Ensure administrator AccessKeyId, SecretAccessKey, and SessionToken values are secure

Evidence notes

The CVE record was published on 2026-07-15T17:16:53.020Z and was last modified on 2026-07-16T20:16:47.430Z. The NVD entry is currently Deferred. The vulnerability is caused by a regression of CVE-2026-27822. The fix for this vulnerability is included in version 0.1.10 of RustFS Console.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T17:16:53.020Z and has not been modified since then. The NVD entry is currently Deferred.