CVE Catalog

CVE-2026-13083

MediumCVSS 6.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

A flaw was found in the Pen Drive report generator where cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored XSS payload into cluster objects that executes in the browser of any user who opens the generated HTML report.

Risk Assessment

The risk involves potential session theft, credential capture, or unauthorized actions in the victim's browser context, which could compromise data confidentiality and integrity within the organization.

Recommendation

Immediately update the Pen Drive report generator to a version that implements proper HTML output encoding and sanitization of cluster-sourced data. Until the update is applied, restrict access to generated HTML reports to trusted users only.

Original NVD description (English source)

A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS