PatchSiren cyber security CVE debrief
CVE-2026-62378 rustfs CVE debrief
A critical stored cross-site scripting vulnerability exists in RustFS Console versions 0.1.7 through 0.1.10. The issue arises from the improper handling of HTML content in .pdf files, enabling an attacker to upload malicious .pdf files that can execute JavaScript code when viewed. This vulnerability, caused by a regression of CVE-2026-27822, exposes sensitive information such as administrator AccessKeyId, SecretAccessKey, and SessionToken values. The vulnerability has been fixed in version 0.1.10.
- Vendor
- rustfs
- Product
- console
- CVSS
- CRITICAL 9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-16
Who should care
Administrators and users of RustFS Console versions 0.1.7 through 0.1.9 should prioritize upgrading to version 0.1.10 to mitigate this critical vulnerability. Security teams should review their inventory of RustFS Console instances and ensure that all affected versions are patched. Additionally, monitoring for suspicious .pdf file uploads and implementing compensating controls, such as restricting file upload types and validating user input, can help reduce the risk of exploitation.
Technical summary
The RustFS Console, a web management console for the RustFS distributed file system, is vulnerable to stored cross-site scripting (XSS) attacks. Specifically, the components/object/preview-modal.tsx and components/object/pdf-viewer.tsx files are affected by an extension-based PDF preview path that can render HTML content uploaded as .pdf files. This allows an attacker to store malicious JavaScript code, which can be executed when an administrator views the .pdf file. The vulnerability is a result of a regression of CVE-2026-27822 and has been assigned a CVSS score of 9, indicating critical severity.
Defensive priority
High
Recommended defensive actions
- Upgrade RustFS Console to version 0.1.10 or later
- Review and restrict file upload types to prevent malicious .pdf files
- Validate user input to prevent XSS attacks
- Monitor for suspicious .pdf file uploads and implement compensating controls
- Ensure administrator AccessKeyId, SecretAccessKey, and SessionToken values are secure
Evidence notes
The CVE record was published on 2026-07-15T17:16:53.020Z and was last modified on 2026-07-16T20:16:47.430Z. The NVD entry is currently Deferred. The vulnerability is caused by a regression of CVE-2026-27822. The fix for this vulnerability is included in version 0.1.10 of RustFS Console.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T17:16:53.020Z and has not been modified since then. The NVD entry is currently Deferred.