CVE-2026-44245

Name of the Vulnerable Software and Affected Versions Kyverno versions prior to 2.5.2

Description The PropertyCard.vue component uses the Vue 3 v-html directive, which injects raw HTML and disables auto-escaping. The isURL() function only filters values that parse as http: or https: URLs, allowing any HTML payload not starting with those schemes to bypass the guard and flow directly into the DOM. The affected data originates from Kubernetes PolicyReport .results[].properties fields, which are arbitrary string maps that can be populated by policy engines or any principal with write access to PolicyReport objects in the cluster.

Recommendations Update to version 2.5.2.