CVE-2026-28673
Remote Code Execution in xiaoheiFS Plugin System
Publication date: 2026-03-18
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| danvei233 | xiaoheifs | to 0.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28673 is a high-severity Remote Code Execution (RCE) vulnerability in the plugin system of the xiaoheiFS project (versions up to 0.3.15). The system allows administrators to upload a ZIP file containing a binary and a manifest.json file. The server blindly trusts the binaries field in the manifest and executes the specified binary without validating its contents or behavior.
This means an attacker with administrative privileges can craft a malicious plugin ZIP file with a manifest pointing to a harmful binary, such as a reverse shell script. When the plugin is enabled, the server executes the malicious binary, allowing the attacker to run arbitrary code remotely on the server.
How can this vulnerability impact me? :
This vulnerability can lead to full system compromise because it allows an attacker with admin access to execute arbitrary code on the server remotely.
- Remote Code Execution (RCE) enables attackers to run any commands or code on the affected system.
- Confidentiality, integrity, and availability of the system can be fully compromised.
- Attack complexity is low once admin privileges are obtained, and no user interaction is required.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the plugin installation and enabling endpoints for suspicious activity, especially uploads of ZIP files containing binaries and manifest.json files with unusual or unexpected binaries specified.'}, {'type': 'paragraph', 'content': 'Specifically, you can check for usage of the `/admin/api/v1/plugins/install` endpoint and inspect uploaded ZIP files for malicious binaries or manipulated `binaries` fields in the `manifest.json`.'}, {'type': 'paragraph', 'content': 'Commands to help detect exploitation attempts might include:'}, {'type': 'list_item', 'content': 'Inspect recent uploads to the plugins directory for unexpected files: `ls -l /path/to/plugins/`'}, {'type': 'list_item', 'content': "Search for suspicious binaries referenced in manifest.json files: `grep -r 'binaries' /path/to/plugins/`"}, {'type': 'list_item', 'content': 'Monitor network connections for unusual outbound connections that could indicate reverse shells: `netstat -anp | grep ESTABLISHED` or `ss -anp | grep ESTABLISHED`'}, {'type': 'list_item', 'content': 'Check server logs for calls to the plugin enable endpoint `/admin/api/v1/plugins/{category}/{plugin_id}/enable` to identify when plugins are enabled.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading xiaoheiFS to version 0.4.0 or later, where this vulnerability is fixed.
Until the upgrade can be performed, restrict administrative access to the plugin installation and enabling endpoints to trusted users only.
Implement strict validation and sanitization of plugin binaries and manifest contents before execution to prevent execution of malicious code.
Limit plugin installation and execution privileges, and enforce strict file type and content checks on uploaded plugins.