CVE-2026-27822: Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover

February 25, 2026

A Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an attacker can steal administrator credentials from localStorage, leading to full account takeover and system compromise.

References

github.com/advisories/GHSA-v9fg-3cr2-277j
github.com/rustfs/rustfs
github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.83
github.com/rustfs/rustfs/security/advisories/GHSA-v9fg-3cr2-277j
nvd.nist.gov/vuln/detail/CVE-2026-27822

Code Behaviors & Features

Detect and mitigate CVE-2026-27822 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →