CVE-2026-42457
CriticalSummary
vCluster Platform prior to versions 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0 has a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context.
Risk Assessment
An attacker with the ability to create namespaces could potentially create a new Global-Admin user, bypassing other security restrictions, which poses a serious threat to the organization.
Recommendation
It is recommended to upgrade to versions 4.4.3, 4.5.5, 4.6.2, 4.7.1, or 4.8.0 to mitigate this vulnerability.
Original NVD description (English source)
vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context. In the worst case, a malicious user could potentially create a new Global-Admin user, bypassing other security restrictions. The attacker needs the ability to create namespaces. This vulnerability is fixed in 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0.

