CVE-2026-13083
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
A flaw was found in the Pen Drive report generator where cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored XSS payload into cluster objects that executes in the browser of any user who opens the generated HTML report.
Risk Assessment
The risk involves potential session theft, credential capture, or unauthorized actions in the victim's browser context, which could compromise data confidentiality and integrity within the organization.
Recommendation
Immediately update the Pen Drive report generator to a version that implements proper HTML output encoding and sanitization of cluster-sourced data. Until the update is applied, restrict access to generated HTML reports to trusted users only.
Original NVD description (English source)
A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report.

