Bug 2491886 (CVE-2026-13083) - CVE-2026-13083 pen-drive: pen-drive: stored XSS via unescaped cluster data in HTML report
Summary: CVE-2026-13083 pen-drive: pen-drive: stored XSS via unescaped cluster data in...
Keywords:
Status: NEW
Alias: CVE-2026-13083
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-23 18:33 UTC by OSIDB Bzimport
Modified: 2026-06-25 13:38 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-23 18:33:53 UTC
A flaw was found in the Pen Drive tool's HTML report generation. When Pen Drive runs a full-run against an OpenShift cluster or a must-gather archive, it generates an HTML report containing cluster data. Cluster-sourced fields — including the ClusterVersion spec.channel, CatalogSource metadata, and Subscription configuration — are rendered directly into the HTML output without escaping or sanitization. An attacker with cluster administrator privileges (or the ability to modify a must-gather archive) can inject arbitrary HTML and JavaScript into cluster objects using commands such as: oc patch clusterversion version --type merge -p '{"spec":{"channel":"stable-4.18<img src=x onerror=alert(1)>"}}'. When Pen Drive generates a report from this cluster data and another user (such as a support engineer or cluster administrator) opens the report in their browser, the injected JavaScript executes in their browser context. This can lead to session token theft, credential exfiltration, or manipulation of displayed content. The vulnerability was found during an internal pentest of Pen Drive version 0.1.3 and is reportedly fixed in version 1.0.0-2.


Note You need to log in before you can comment on or make changes to this bug.