CVE-2026-13083 - Vulnerability Details

- Pen-drive: pen-drive: stored xss via unescaped cluster data in html report

Description

A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report.

Published: 2026-06-25

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

This flaw is caused by missing HTML escaping when cluster data is written into reports. An attacker with cluster‑administrator rights can insert malicious JavaScript into objects such as the ClusterVersion spec.channel field, which is then rendered into a victim’s browser when the report is opened. The result is a stored XSS attack that can hijack user sessions, exfiltrate credentials, or otherwise compromise the client environment.

Affected Systems

Red Hat Pen Drive Powered by Red Hat Lightspeed versions prior to 1.0.0-2 are affected. All releases that include the unescaped rendering logic, including the cpe versions 0 and 1 listed by Red Hat, fall under the risk window. The vulnerability is only exploitable in environments where the cluster cluster objects.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. EPSS is not available, and the flaw is not listed in the CISA KEV catalog, suggesting a lower current exploitation probability. Exploitation requires privileged cluster manipulation and the victim to open the generated HTML report in a browser. The attack vector is effectively controlled by the cluster administrator, but once the report is viewed the malicious code executes without further privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Pen Drive Powered by Red Hat Lightspeed	unknown	—
Red Hat	Pen Drive Powered by Red Hat Lightspeed	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

The following practices would help for avoiding exposure and mitigate this flaw: - Upgrade Pen Drive to version 1.0.0-2 or later, which reportedly contains the fix. - Until upgraded, review HTML reports generated by Pen Drive before opening them in a browser, or open them in a sandboxed browser environment. - If using must-gather archives from untrusted sources, validate the archive content before feeding it to Pen Drive. - Consider opening Pen Drive reports with JavaScript disabled in the browser.

OpenCVE Recommended Actions

Apply the latest Pen Drive release (version 1.0.0-2 or later) to eliminate the unescaped rendering logic.
If an upgrade is not immediately possible, review any generated HTML reports carefully before opening them in a browser, or open them only in a sandboxed or JavaScript‑disabled environment.
When ingesting must‑gather archives from untrusted sources, validate the archive contents before feeding them to Pen Drive.
For additional protection, enable JavaScript blocking or use a hardened browser that limits script execution in local files.

Generated by OpenCVE AI on June 26, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-13083
https://bugzilla.redhat.com/show_bug.cgi?id=2491886
https://nvd.nist.gov/vuln/detail/CVE-2026-13083
https://www.cve.org/CVERecord?id=CVE-2026-13083

History

Fri, 26 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-13083 https://www.cve.org/CVERecord?id=CVE-2026-13083
Metrics	threat_severity `None`	threat_severity `Moderate`

Thu, 25 Jun 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report.
Title		Pen-drive: pen-drive: stored xss via unescaped cluster data in html report
First Time appeared		Redhat Redhat pdrive Lightspeed
Weaknesses		CWE-79
CPEs		cpe:/a:redhat:pdrive_lightspeed:0 cpe:/a:redhat:pdrive_lightspeed:1
Vendors & Products		Redhat Redhat pdrive Lightspeed
References		https://access.redhat.com/security/cve/CVE-2026-13083 https://bugzilla.redhat.com/show_bug.cgi?id=2491886
Metrics		cvssV3_1 `{'score': 6.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N'}`

Subscriptions

Redhat Pdrive Lightspeed

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-25T23:23:42.386Z

Updated: 2026-06-25T23:23:42.386Z

Reserved: 2026-06-23T18:27:40.399Z

Link: CVE-2026-13083

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-23T00:00:00Z

Links: CVE-2026-13083 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-26T00:30:17Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object