R0Binak

**Name of the Vulnerable Software and Affected Versions** Kyverno versions prior to 2.5.2 **Description** The PropertyCard.vue component uses the Vue 3 `v-html` directive, which injects raw HTML and disables auto-escaping. The `isURL()` function only filters values that parse as http: or https: URLs, allowing any HTML payload not starting with those schemes to bypass the guard and flow directly into the DOM. The affected data originates from Kubernetes PolicyReport `.results[].properties` fields, which are arbitrary string maps that can be populated by policy engines or any principal with write access to PolicyReport objects in the cluster. **Recommendations** Update to version 2.5.2.