Skip to main content

Pen Drive CVE-2026-13083

| EUVDEUVD-2026-39596 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 secalert@redhat.com GHSA-2cqr-m38f-xf8g
6.9
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
vuln.today AI
6.9 MEDIUM

Cluster admin write access required (PR:H); victim must open report in browser (UI:R); XSS crosses infrastructure-to-browser boundary (S:C); session/credential theft feasible (C:H); no availability impact.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Red Hat
6.9 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 00:31 vuln.today

DescriptionCVE.org

A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report.

AnalysisAI

Stored XSS in Red Hat's Pen Drive report generator allows a cluster administrator to inject persistent JavaScript payloads into cluster objects such as ClusterVersion spec.channel, which then execute in the browser of any user who opens a generated HTML report. The flaw (CWE-79) stems from cluster-sourced data being rendered into HTML output without escaping or sanitization, crossing a security boundary (S:C) from infrastructure into end-user browser sessions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain cluster admin credentials
Delivery
Inject XSS payload into cluster object field
Exploit
Victim generates and opens HTML report
Execution
Script executes in victim's browser session
Impact
Exfiltrate session tokens or credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires two prerequisites: first, the attacker must hold cluster administrator privileges sufficient to write arbitrary string values into cluster objects such as ClusterVersion spec.channel - this is a high-privilege authenticated condition (PR:H) that limits the attacker pool to insiders or actors who have already fully compromised a cluster admin account. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.9 score reflects a meaningfully bounded but non-trivial risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious insider with cluster administrator access injects a cookie-stealing JavaScript payload into the ClusterVersion spec.channel field of the target cluster. When a site reliability engineer or operations user generates and opens the HTML cluster report in their browser, the payload silently executes, exfiltrating the victim's session tokens to an attacker-controlled endpoint. …
Remediation No vendor-released patch version has been confirmed in the available data; monitor https://access.redhat.com/security/cve/CVE-2026-13083 for an updated advisory containing a fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-13083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy