xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system all…

xiaoheiFS, a self-hosted financial and operational system for cloud service businesses, contains a critical Remote Code Execution vulnerability in versions up to 0.3.15. The vulnerability exists in the plugin system where administrators can upload ZIP files containing binaries and manifest.json files. The server executes files specified in the manifest's 'binaries' field without proper validation, allowing attackers to achieve RCE. This affects the plugin upload functionality and poses significant security risks to cloud service businesses using the platform. The issue has been resolved in version 0.4.0.