A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report.
History

Sat, 27 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report.
Title Pen-drive: pen-drive: stored xss via unescaped cluster data in html report
First Time appeared Redhat
Redhat pdrive Lightspeed
Weaknesses CWE-79
CPEs cpe:/a:redhat:pdrive_lightspeed:0
cpe:/a:redhat:pdrive_lightspeed:1
Vendors & Products Redhat
Redhat pdrive Lightspeed
References
Metrics cvssV3_1

{'score': 6.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-25T23:23:42.386Z

Updated: 2026-07-01T15:32:01.676Z

Reserved: 2026-06-23T18:27:40.399Z

Link: CVE-2026-13083

cve-icon Vulnrichment

Updated: 2026-06-27T02:34:43.187Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T00:00:00Z

Links: CVE-2026-13083 - Bugzilla