Description
A stored cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the user information parameter.
Published: 2026-04-29
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in OpenNebula version 6.10.0.1, allowing an attacker to inject and persist arbitrary web scripts or HTML by exploiting the user information parameter. Successful exploitation could lead to client‑side code execution, session hijacking, defacement, or further malicious activity within the web interface, effectively compromising confidentiality and integrity of user sessions.

Affected Systems

OpenNebula, version 6.10.0.1. The vulnerability is confined to this specific release and affects all installations that have not applied a fix or an updated version.

Risk and Exploitability

Because the flaw is a stored XSS, once a payload is injected it is served to any users viewing the affected user information field, making the attack vector broad across authenticated web sessions. No EPSS score is available and the issue is not listed in CISA KEV, but the CVSS score is 6.1, reflecting the risk of client‑side code execution that could affect confidentiality and integrity of user sessions.

Generated by OpenCVE AI on April 30, 2026 at 14:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a patched or newer OpenNebula version that resolves the stored XSS flaw.
  • If an update is not immediately possible, sanitize and validate all input to the user information field to strip or encode script tags and reduce the risk of cross‑site scripting.
  • Configure the web application to serve a strict Content‑Security‑Policy that blocks inline scripts and restricts the execution of untrusted code.

Generated by OpenCVE AI on April 30, 2026 at 14:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opennebula:opennebula:*:*:*:*:*:*:*:*

Thu, 30 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Stored XSS Vulnerability in OpenNebula v6.10.0.1 Allows Arbitrary Script Execution

Wed, 29 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Opennebula
Opennebula opennebula
Vendors & Products Opennebula
Opennebula opennebula

Wed, 29 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the user information parameter.
References

Subscriptions

Opennebula Opennebula
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-29T16:23:42.067Z

Reserved: 2025-08-17T00:00:00.000Z

Link: CVE-2025-56536

cve-icon Vulnrichment

Updated: 2026-04-29T16:23:34.637Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T16:16:21.720

Modified: 2026-04-30T20:08:58.267

Link: CVE-2025-56536

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:15:40Z

Weaknesses