Description
A stored cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 and fixed in v.7.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the virtual network template parameter.
Published: 2026-04-29
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Stored cross‑site scripting vulnerability in OpenNebula 6.10.0.1 allows an attacker to inject a crafted payload into the virtual network template parameter. When the template is rendered, the injected script or HTML is executed in the browser of any user who views it, enabling arbitrary client‑side code execution. The weakness aligns with CWE‑79.

Affected Systems

OpenNebula Platform version 6.10.0.1 is affected. The issue has been fixed in OpenNebula 7.0, so users of any earlier releases face this risk. No other vendors or products were reported, and the vulnerability is specific to the virtual network template handling component of OpenNebula.

Risk and Exploitability

The CVSS score is 6.1 and the EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog. Attacks would require access to the OpenNebula web interface and the ability to create or modify virtual network templates, which typically requires authenticated privileged access. Given the lack of public exploit evidence, the likelihood of exploitation appears low, but the impact of successful exploitation is high due to the arbitrary code execution in clients.

Generated by OpenCVE AI on May 2, 2026 at 00:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch v7.0 or later
  • Restrict permission to edit virtual network templates to trusted users
  • Monitor logs for suspicious template modifications

Generated by OpenCVE AI on May 2, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 01:00:00 +0000

Type Values Removed Values Added
Title Stored XSS Vulnerability in OpenNebula 6.10.0.1 Virtual Network Template

Thu, 30 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opennebula:opennebula:*:*:*:*:*:*:*:*

Wed, 29 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Opennebula
Opennebula opennebula
Vendors & Products Opennebula
Opennebula opennebula

Wed, 29 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 and fixed in v.7.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the virtual network template parameter.
References

Subscriptions

Opennebula Opennebula
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-29T16:21:27.264Z

Reserved: 2025-08-17T00:00:00.000Z

Link: CVE-2025-56537

cve-icon Vulnrichment

Updated: 2026-04-29T16:21:20.579Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T16:16:21.843

Modified: 2026-04-30T20:01:08.460

Link: CVE-2025-56537

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:45:30Z

Weaknesses