Skip to main content

Skyline CVE-2026-40212

| EUVDEUVD-2026-21332 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-10 mitre
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 10, 2026 - 08:15 euvd
EUVD-2026-21332
Analysis Generated
Apr 10, 2026 - 08:15 vuln.today
CVE Published
Apr 10, 2026 - 00:00 nvd
MEDIUM 5.4

DescriptionCVE.org

OpenStack Skyline before 5.0.1, 6.0.0, and 7.0.0 has a DOM-based Cross-Site Scripting (XSS) vulnerability in the console because document.write is used unsafely, which is relevant in scenarios where administrators use the console web interface to view instance console logs.

AnalysisAI

DOM-based cross-site scripting in OpenStack Skyline console interface allows authenticated administrators to execute arbitrary JavaScript via unsafe document.write usage when viewing instance console logs. Affects Skyline versions before 5.0.1, 6.0.0, and 7.0.0. Attack requires administrator authentication and user interaction (UI:R), limiting real-world impact but enabling session hijacking or credential theft from privileged users.

Technical ContextAI

OpenStack Skyline is a web-based dashboard for OpenStack cloud infrastructure management. The vulnerability resides in the console component's handling of instance console logs, where unsafely constructed document.write calls permit injection of malicious HTML and JavaScript. This is a classic DOM-based XSS (CWE-79: Improper Neutralization of Input During Web Page Generation) where user-controlled or attacker-controlled console output is written directly to the DOM without sanitization. The affected products are identified by CPE cpe:2.3:a:openstack:skyline, indicating all Skyline versions prior to the patched releases. The vulnerability manifests specifically when administrators access the console log viewing interface.

RemediationAI

Upgrade to patched versions: Skyline 5.0.1 or later, 6.0.0 (after patch application per advisory), or 7.0.0 (after patch application per advisory). The upstream fix is documented in the OpenStack code review at https://review.opendev.org/973351. Consult the vendor advisory at https://bugs.launchpad.net/skyline-console/+bug/2138575 for specific patch availability and release dates. As an interim mitigation, restrict console log viewing access to trusted administrators and disable or limit use of the console web interface if operations permit. Input validation and output encoding of console log content should be implemented to prevent DOM-based XSS.

Share

CVE-2026-40212 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy