CVE-2026-28673 in xiaoheiFS
Summary
by MITRE • 03/18/2026
xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the `binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/22/2026
The xiaoheiFS system represents a cloud service infrastructure platform designed for financial and operational management, where administrators can extend functionality through a plugin architecture. This vulnerability exists within the plugin installation mechanism that accepts ZIP archives containing both binary executables and manifest configuration files. The system's trust model is fundamentally flawed as it blindly executes binaries specified in the manifest file without performing any integrity checks or behavioral analysis of the uploaded content. This design flaw creates a critical security gap that directly enables arbitrary code execution through the plugin upload interface.
The technical implementation of this vulnerability stems from insufficient input validation and trust assumptions within the plugin loading process. When administrators upload plugins, the system parses the manifest.json file and directly executes the binary path specified in the binaries field without verifying whether the file matches the declared manifest information or whether it contains malicious code. This approach violates fundamental security principles of least privilege and input sanitization, allowing attackers to upload malicious binaries that execute with the privileges of the xiaoheiFS service account. The vulnerability specifically affects versions up to 0.3.15 and demonstrates a classic case of unsafe deserialization combined with inadequate access controls, where the manifest file acts as an untrusted data source that should never be directly executed.
The operational impact of this vulnerability is severe and far-reaching for organizations using affected versions of xiaoheiFS. An attacker who gains access to administrative credentials or can exploit another vulnerability to upload plugins can achieve complete system compromise through remote code execution. This allows for data exfiltration, system persistence, lateral movement within the network, and potential escalation to other systems. The vulnerability affects the core operational integrity of financial and cloud service platforms, potentially exposing sensitive financial data and disrupting business operations. From an attack perspective, this represents a high-value target that aligns with attack techniques categorized under credential access and execution phases in the MITRE ATT&CK framework, specifically mapping to techniques such as privilege escalation and legitimate user execution.
The fix implemented in version 0.4.0 addresses this vulnerability through proper input validation and execution controls. The updated system should validate the integrity of uploaded plugin binaries against the manifest information, implement proper file type checking, and execute uploaded code in restricted environments or sandboxes. This remediation aligns with security best practices outlined in CWE-732, which addresses incorrect permission assignment, and CWE-434, which covers insecure file upload. Organizations should immediately upgrade to version 0.4.0 or later to mitigate this risk, while also implementing additional monitoring for unauthorized plugin uploads and execution attempts. The vulnerability demonstrates the critical importance of validating all user-supplied content and implementing defense-in-depth strategies to prevent privilege escalation attacks.