NVD Warns of CVE-2026-27822 Stored XSS in RustFS Management Console

The National Vulnerability Database published an advisory on February 25 for CVE-2026-27822 that describes a Stored Cross-Site Scripting (XSS) flaw in the RustFS management console. The entry identifies the component as the management console and classifies the issue as Stored XSS, flagging the web-facing interface of RustFS as the affected surface. RustFS is identified in the advisory as a distributed object-storage system implemented in Rust.

The advisory listing for CVE-2026-27822 ties the vulnerability specifically to the management console portion of RustFS rather than the core object-storage engine. That distinction matters for operators because the management console is the control plane most likely exposed to administrators and automation, and the NVD entry uses the management console label when describing the affected component for CVE-2026-27822.

I reviewed the NVD advisory entry for CVE-2026-27822 to confirm the classification and the affected product name; the entry is explicit that this is a Stored Cross-Site Scripting issue in the RustFS management console. Given that the advisory was published on February 25, 2026, and carries the CVE identifier CVE-2026-27822, operators running RustFS should reference that NVD entry when tracking fixes or mitigations tied to this specific identifier.

RustFS users and administrators who operate the management console interfaces should treat CVE-2026-27822 as a priority to investigate because the NVD advisory singles out that console. Monitor the NVD entry for updates tied to CVE-2026-27822 and check RustFS project channels for coordinated disclosures or patches that address the management console vulnerability described on February 25. The NVD advisory for CVE-2026-27822 remains the primary public record to cite when correlating incident reports, patch notes, and mitigation steps for the RustFS management console Stored XSS issue.