Description
A cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the zone attribute parameter.
Published: 2026-04-29
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site scripting flaw exists in OpenNebula v6.10.0.1 that allows an attacker to inject arbitrary HTML or JavaScript through the zone attribute parameter in the web console. The vulnerability stems from insufficient input validation and sanitization for this field, enabling the execution of client‑side code within the victim’s browser. This can lead to session hijacking, defacement, or the delivery of additional malicious payloads and represents a classic Cross‑Site Scripting scenario.

Affected Systems

The issue affects OpenNebula installations running the 6.10.0.1 release. Any environment that exposes the web console to untrusted users or networks is at risk. No other vendor products are listed and no additional versions are known to be impacted by the data provided.

Risk and Exploitability

The CVSS score for this vulnerability is 6.1; the EPSS score is 0.00029, indicating a very low exploitation probability. Public exploitation code can be found on a community GitHub repository, indicating a low‑barrier attack path. Attackers can reach the vulnerable parameter via normal web requests to the console, so both unauthenticated and authenticated access that can manipulate the zone field constitutes a valid attack vector. While the flaw is client‑side, the potential for persistent or credential‑stealing attacks underscores a medium severity impact for exposed deployments.

Generated by OpenCVE AI on May 2, 2026 at 00:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenNebula to a version that includes the XSS fix once available.
  • If an upgrade is not possible, implement server‑side validation or encoding for the zone attribute to allow only safe characters before rendering.
  • Configure the web interface to enforce a strict content‑security policy and disable inline script execution to mitigate any payload that bypasses input checks.

Generated by OpenCVE AI on May 2, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 01:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via Zone Attribute Parameter in OpenNebula

Thu, 30 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opennebula:opennebula:*:*:*:*:*:*:*:*

Wed, 29 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Opennebula
Opennebula opennebula
Vendors & Products Opennebula
Opennebula opennebula

Wed, 29 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description A cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the zone attribute parameter.
References

Subscriptions

Opennebula Opennebula
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-29T16:25:48.166Z

Reserved: 2025-08-17T00:00:00.000Z

Link: CVE-2025-56535

cve-icon Vulnrichment

Updated: 2026-04-29T16:25:44.353Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T16:16:21.610

Modified: 2026-04-30T20:09:05.780

Link: CVE-2025-56535

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:45:30Z

Weaknesses