What is the CVSS score of CVE-2026-42457?

CVE-2026-42457 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of vCluster Platform are affected by CVE-2026-42457?

CVE-2026-42457 is a critical stored XSS vulnerability in vCluster Platform that allows authenticated users with namespace creation privileges to inject malicious scripts and escalate to Global-Admin…. A patch is available.

vCluster Platform CVE-2026-42457

EUVD-2026-30301 CRITICAL

Cross-site Scripting (XSS) (CWE-79)

2026-05-14 security-advisories@github.com

XSS Kubernetes

9.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 14, 2026 - 16:01 EUVD

Analysis Generated

May 14, 2026 - 15:32 vuln.today

CVE Published

May 14, 2026 - 15:16 nvd

CRITICAL 9.0

DescriptionNVD

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context. In the worst case, a malicious user could potentially create a new Global-Admin user, bypassing other security restrictions. The attacker needs the ability to create namespaces. This vulnerability is fixed in 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0.

AnalysisAI

Stored Cross-Site Scripting (XSS) in vCluster Platform allows authenticated attackers with namespace creation privileges to inject malicious scripts via the templateRef name field, potentially escalating to Global-Admin access. The vulnerability affects versions prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0. …

RemediationAI

Within 24 hours: Inventory all vCluster Platform deployments and document current versions; identify users with namespace creation privileges and review recent namespace creation activity. Within 7 days: Upgrade vCluster Platform to version 4.4.3, 4.5.5, 4.6.2, 4.7.1, or 4.8.0 or later across all production and non-production clusters; test upgrades in staging environment first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42457 vulnerability details – vuln.today

Back

vCluster Platform CVE-2026-42457

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code