Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
Cluster admin write access required (PR:H); victim must open report in browser (UI:R); XSS crosses infrastructure-to-browser boundary (S:C); session/credential theft feasible (C:H); no availability impact.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report.
AnalysisAI
Stored XSS in Red Hat's Pen Drive report generator allows a cluster administrator to inject persistent JavaScript payloads into cluster objects such as ClusterVersion spec.channel, which then execute in the browser of any user who opens a generated HTML report. The flaw (CWE-79) stems from cluster-sourced data being rendered into HTML output without escaping or sanitization, crossing a security boundary (S:C) from infrastructure into end-user browser sessions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two prerequisites: first, the attacker must hold cluster administrator privileges sufficient to write arbitrary string values into cluster objects such as ClusterVersion spec.channel - this is a high-privilege authenticated condition (PR:H) that limits the attacker pool to insiders or actors who have already fully compromised a cluster admin account. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.9 score reflects a meaningfully bounded but non-trivial risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious insider with cluster administrator access injects a cookie-stealing JavaScript payload into the ClusterVersion spec.channel field of the target cluster. When a site reliability engineer or operations user generates and opens the HTML cluster report in their browser, the payload silently executes, exfiltrating the victim's session tokens to an attacker-controlled endpoint. … |
| Remediation | No vendor-released patch version has been confirmed in the available data; monitor https://access.redhat.com/security/cve/CVE-2026-13083 for an updated advisory containing a fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39596
GHSA-2cqr-m38f-xf8g