CVE-2026-62378 in Consoleinfo

Summary

by MITRE • 07/15/2026

RustFS Console is a web management console for the RustFS distributed file system. From 0.1.7 until 0.1.10, the RustFS Console components/object/preview-modal.tsx and components/object/pdf-viewer.tsx extension-based PDF preview path can render HTML content uploaded as .pdf, allowing stored cross-site scripting in the management console and exposure of administrator AccessKeyId, SecretAccessKey, and SessionToken values. This is caused by a regression of CVE-2026-27822. This vulnerability is fixed in 0.1.10.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The RustFS Console represents a critical web-based management interface for the RustFS distributed file system, serving as a primary administrative gateway for system operations and file management tasks. This console component operates with elevated privileges and contains sensitive credential information that directly impacts system security posture. The vulnerability affects versions 0.1.7 through 0.1.10, indicating a regression in previously addressed security measures that were initially documented in CVE-2026-27822. The flaw manifests specifically within the preview functionality of the console's object management components, particularly in the components/object/preview-modal.tsx and components/object/pdf-viewer.tsx files.

The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the PDF preview rendering pipeline. When users upload files with .pdf extensions, the system incorrectly processes these files to render HTML content that may be embedded within the document structure. This regression allows malicious actors to craft specially formatted PDF files containing embedded HTML or JavaScript payloads that execute within the context of the authenticated admin session. The vulnerability specifically targets the extension-based preview mechanism that was designed to handle various file types while maintaining security boundaries between different content formats.

The operational impact of this stored cross-site scripting vulnerability is severe and multifaceted, as it provides attackers with direct access to administrative credentials stored within the management console. Upon successful exploitation, adversaries can extract AccessKeyId, SecretAccessKey, and SessionToken values that grant them full administrative privileges over the underlying RustFS infrastructure. This credential exposure enables unauthorized users to perform any administrative action including file manipulation, system configuration changes, data exfiltration, and privilege escalation within the distributed file system environment. The vulnerability essentially transforms a simple file preview feature into a critical attack vector for privilege compromise.

The regression of CVE-2026-27822 demonstrates the importance of maintaining proper security controls during software updates and the potential risks associated with incomplete remediation efforts. This vulnerability aligns with CWE-79 (Cross-site Scripting) and CWE-200 (Information Exposure) categories, representing a classic case where inadequate input validation creates persistent security weaknesses. From an ATT&CK framework perspective, this vulnerability maps to T1566 (Phishing) and T1078 (Valid Accounts) techniques, as attackers can leverage the compromised administrative session to maintain persistence and escalate privileges. The exploitation requires minimal user interaction beyond uploading a malicious file, making it particularly dangerous in environments where administrators regularly preview uploaded content.

Mitigation strategies should prioritize immediate deployment of the fixed version 0.1.10, which properly addresses the input sanitization issues within the PDF preview components. Organizations must implement comprehensive file validation mechanisms that prevent HTML content execution within PDF previews and establish strict content-type verification processes. Network segmentation and access control measures should be enhanced to limit administrative console exposure, while monitoring systems should be configured to detect anomalous credential usage patterns. Additionally, regular security assessments of web application components should include thorough review of preview and rendering functionalities to identify potential regression vulnerabilities that could compromise system integrity.

Responsible

GitHub M

Reservation

07/14/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!