Description
A cross-site scripting (XSS) vulnerability in the custom authenticator driver of opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Published: 2026-04-29
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An XSS flaw exists in the custom authenticator driver for OpenNebula version 6.10.0.1. The weakness permits crafted input to inject and run arbitrary JavaScript or HTML in the context of the web interface, potentially compromising the browser session of any user who authenticates through the driver.

Affected Systems

Only OpenNebula deployments that use the custom authenticator driver in version 6.10.0.1 are affected. Systems running newer OpenNebula releases or using different authentication mechanisms are not impacted.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, and no EPSS data is available. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to supply a crafted payload during authentication; once accepted, the payload executes in the victim’s browser, allowing arbitrary script execution.

Generated by OpenCVE AI on April 30, 2026 at 14:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenNebula to the latest release that removes the XSS vulnerability in the custom authenticator driver.
  • Disable or replace the custom authenticator driver until a patched version is available.
  • Implement input sanitization and validation for all data passed to the authenticator driver to block injected scripts.

Generated by OpenCVE AI on April 30, 2026 at 14:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opennebula:opennebula:*:*:*:*:*:*:*:*

Wed, 29 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Opennebula
Opennebula opennebula
Vendors & Products Opennebula
Opennebula opennebula

Wed, 29 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description A cross-site scripting (XSS) vulnerability in the custom authenticator driver of opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
References

Subscriptions

Opennebula Opennebula
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-29T16:24:39.575Z

Reserved: 2025-08-17T00:00:00.000Z

Link: CVE-2025-56534

cve-icon Vulnrichment

Updated: 2026-04-29T16:24:33.008Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T16:16:21.477

Modified: 2026-04-30T20:09:13.400

Link: CVE-2025-56534

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:15:40Z

Weaknesses