CVE-2026-27822 CRITICAL

CVE-2026-27822: Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover

Vendor Rustfs
Product rustfs
Weakness CWE-79 · XSS
Published February 25, 2026
Last update February 25, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an attacker can steal administrator credentials from `localStorage`, leading to full account takeover and system compromise. Version 1.0.0-alpha.83 fixes the issue.

Key dates

02Disclosure timeline

February 25, 2026 CVE published
February 25, 2026 Record updated