CVE-2026-28673
Received Received - Intake
Remote Code Execution in xiaoheiFS Plugin System

Publication date: 2026-03-18

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the `binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28673
EUVD
EUVD-2026-12700
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
danvei233 xiaoheifs to 0.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28673 is a high-severity Remote Code Execution (RCE) vulnerability in the plugin system of the xiaoheiFS project (versions up to 0.3.15). The system allows administrators to upload a ZIP file containing a binary and a manifest.json file. The server blindly trusts the binaries field in the manifest and executes the specified binary without validating its contents or behavior.

This means an attacker with administrative privileges can craft a malicious plugin ZIP file with a manifest pointing to a harmful binary, such as a reverse shell script. When the plugin is enabled, the server executes the malicious binary, allowing the attacker to run arbitrary code remotely on the server.

Impact Analysis

This vulnerability can lead to full system compromise because it allows an attacker with admin access to execute arbitrary code on the server remotely.

  • Remote Code Execution (RCE) enables attackers to run any commands or code on the affected system.
  • Confidentiality, integrity, and availability of the system can be fully compromised.
  • Attack complexity is low once admin privileges are obtained, and no user interaction is required.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the plugin installation and enabling endpoints for suspicious activity, especially uploads of ZIP files containing binaries and manifest.json files with unusual or unexpected binaries specified.'}, {'type': 'paragraph', 'content': 'Specifically, you can check for usage of the `/admin/api/v1/plugins/install` endpoint and inspect uploaded ZIP files for malicious binaries or manipulated `binaries` fields in the `manifest.json`.'}, {'type': 'paragraph', 'content': 'Commands to help detect exploitation attempts might include:'}, {'type': 'list_item', 'content': 'Inspect recent uploads to the plugins directory for unexpected files: `ls -l /path/to/plugins/`'}, {'type': 'list_item', 'content': "Search for suspicious binaries referenced in manifest.json files: `grep -r 'binaries' /path/to/plugins/`"}, {'type': 'list_item', 'content': 'Monitor network connections for unusual outbound connections that could indicate reverse shells: `netstat -anp | grep ESTABLISHED` or `ss -anp | grep ESTABLISHED`'}, {'type': 'list_item', 'content': 'Check server logs for calls to the plugin enable endpoint `/admin/api/v1/plugins/{category}/{plugin_id}/enable` to identify when plugins are enabled.'}] [1]

Mitigation Strategies

Immediate mitigation steps include upgrading xiaoheiFS to version 0.4.0 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict administrative access to the plugin installation and enabling endpoints to trusted users only.

Implement strict validation and sanitization of plugin binaries and manifest contents before execution to prevent execution of malicious code.

Limit plugin installation and execution privileges, and enforce strict file type and content checks on uploaded plugins.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28673. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart