CVE-2026-13083
Received Received - Intake
Stored XSS in Pen Drive Report Generator

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Red Hat, Inc.

Description
A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-13083
EUVD
EUVD-2026-39596
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-13083 is a stored cross-site scripting (XSS) vulnerability in the Pen Drive tool's HTML report generation feature.

The flaw occurs because cluster-sourced data, such as ClusterVersion spec.channel, CatalogSource metadata, and Subscription configuration, is rendered into HTML reports without proper escaping or sanitization.

An attacker with cluster administrator privileges or the ability to modify a must-gather archive can inject malicious HTML and JavaScript code into these fields.

When a user opens the generated HTML report in their browser, the injected script executes in their context, potentially causing harmful effects.

Impact Analysis

This vulnerability can lead to the execution of malicious scripts in the browser of any user who opens the affected HTML report.

  • Session token theft
  • Credential exfiltration
  • Manipulation of report content

These impacts arise because the attacker can inject code that runs with the privileges of the user viewing the report.

Detection Guidance

This vulnerability can be detected by checking if malicious scripts have been injected into cluster objects such as ClusterVersion spec.channel. One way to detect this is by inspecting these fields for unexpected HTML or JavaScript code.

For example, you can use the following command to check the ClusterVersion spec.channel field for suspicious content:

  • oc get clusterversion version -o jsonpath='{.spec.channel}'

If the output contains HTML tags or JavaScript code (e.g., <img src=x onerror=alert(1)>), it indicates a possible injection.

Additionally, reviewing must-gather archives for injected scripts in metadata fields can help detect the vulnerability.

Mitigation Strategies

Immediate mitigation steps include upgrading the Pen Drive tool to version 1.0.0-2 or later, where this vulnerability has been fixed.

Until the upgrade is applied, restrict cluster administrator privileges to trusted users only, as the vulnerability requires such privileges to inject malicious payloads.

Avoid opening HTML reports generated by Pen Drive from untrusted sources or clusters that may have been compromised.

Compliance Impact

The vulnerability allows an attacker with cluster administrator privileges to inject malicious scripts into HTML reports, which execute in the browser of any user who opens the report. This can lead to session token theft, credential exfiltration, or content manipulation.

Such unauthorized access and potential data exposure could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13083. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart