PT-2026-40945 · Unknown · Vcluster Platform

Cbron

·

Published

2026-05-14

·

Updated

2026-05-14

·

CVE-2026-42457

CVSS v3.1

9.0

Critical

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions vCluster Platform versions prior to 4.4.3 vCluster Platform versions prior to 4.5.5 vCluster Platform versions prior to 4.6.2 vCluster Platform versions prior to 4.7.1 vCluster Platform versions prior to 4.8.0
Description A Stored Cross-Site Scripting (XSS) issue exists via the name field of a templateRef. This allows an attacker with the ability to create namespaces to execute arbitrary external scripts within the browser context of the platform. This could potentially enable a malicious user to create a new Global-Admin user and bypass security restrictions.
Recommendations Update to version 4.4.3 Update to version 4.5.5 Update to version 4.6.2 Update to version 4.7.1 Update to version 4.8.0

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-42457
GHSA-X7CQ-V3H6-426C

Affected Products

Vcluster Platform