CVE-2026-28673 is an OS command injection vulnerability identified in the xiaoheiFS product by danvei233, a self-hosted financial and operational system tailored for cloud service businesses. The vulnerability exists in versions up to and including 0.3.15, specifically within the standard plugin system. This system allows administrators to upload a ZIP archive containing a binary executable and a manifest.json file. The manifest includes a 'binaries' field that the server trusts implicitly, executing the specified binary without validating its contents or behavior. This lack of validation enables an attacker with administrative privileges to craft a malicious plugin that, when uploaded, results in remote code execution (RCE) on the server hosting xiaoheiFS. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The CVSS v3.1 base score is 7.2, reflecting high severity, with attack vector network (AV:N), low attack complexity (AC:L), requiring privileges (PR:H), no user interaction (UI:N), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The issue was reserved on March 2, 2026, and published on March 18, 2026. Version 0.4.0 of xiaoheiFS addresses this vulnerability by presumably implementing validation or restrictions on plugin binaries. No known exploits have been reported in the wild to date.

The vulnerability allows remote code execution on servers running vulnerable versions of xiaoheiFS, which can lead to full system compromise. Attackers with administrative access can execute arbitrary commands, potentially stealing sensitive financial and operational data, modifying or deleting data, disrupting service availability, or using the compromised server as a foothold for lateral movement within an organization’s network. Given xiaoheiFS's role in cloud service business operations, exploitation could result in significant operational disruption and financial loss. The requirement for administrative privileges limits the attack surface to insiders or attackers who have already compromised admin credentials, but the absence of user interaction and low complexity makes exploitation straightforward once access is obtained. The vulnerability impacts confidentiality, integrity, and availability, making it a critical risk for organizations relying on this software for business-critical functions.

Organizations should immediately upgrade xiaoheiFS to version 0.4.0 or later, where the vulnerability is fixed. Until upgrading, restrict plugin upload capabilities strictly to trusted administrators and audit all uploaded plugins for suspicious content. Implement network segmentation and strict access controls to limit administrative access to the xiaoheiFS server. Employ application whitelisting or binary integrity checks to detect unauthorized or malicious binaries. Monitor logs for unusual plugin uploads or execution patterns. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block suspicious command execution. Regularly review and rotate administrative credentials to reduce the risk of privilege misuse. Finally, conduct security awareness training for administrators to recognize and prevent risky plugin uploads.