CVE-2026-62378
Received Received - Intake

Stored XSS in RustFS Console via PDF Preview

Vulnerability report for CVE-2026-62378, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

RustFS Console is a web management console for the RustFS distributed file system. From 0.1.7 until 0.1.10, the RustFS Console components/object/preview-modal.tsx and components/object/pdf-viewer.tsx extension-based PDF preview path can render HTML content uploaded as .pdf, allowing stored cross-site scripting in the management console and exposure of administrator AccessKeyId, SecretAccessKey, and SessionToken values. This is caused by a regression of CVE-2026-27822. This vulnerability is fixed in 0.1.10.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
rustfs console From 0.1.7 (inc) to 0.1.10 (inc)
rustfs console 0.1.10

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) flaw in the RustFS Console, a web management tool for the RustFS distributed file system. It affects versions 0.1.7 to 0.1.10 where PDF preview components could render HTML content uploaded as PDF files, allowing malicious scripts to execute in the console.

Impact Analysis

Attackers can exploit this to steal administrator credentials stored in the browser's localStorage, including AccessKeyId, SecretAccessKey, and SessionToken. This could lead to full account takeover, allowing attackers to perform administrative actions like deleting data or downloading the entire filesystem.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating confidentiality requirements in GDPR and HIPAA. Compromise of administrator credentials may result in data breaches, triggering compliance violations and potential legal penalties.

Detection Guidance

Check RustFS Console versions between 0.1.7 and 0.1.10 for vulnerable components. Inspect uploaded PDF files for HTML content or manipulated Content-Type headers. Review localStorage for unauthorized JavaScript execution in the management console.

Mitigation Strategies

Upgrade RustFS Console to version 0.1.10 or later. Remove any uploaded HTML files disguised as PDFs. Monitor administrator accounts for unauthorized access. Restrict file uploads to verified PDF content types only.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62378. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart