Description
OpenStack Skyline before 5.0.1, 6.0.0, and 7.0.0 has a DOM-based Cross-Site Scripting (XSS) vulnerability in the console because document.write is used unsafely, which is relevant in scenarios where administrators use the console web interface to view instance console logs.
Published: 2026-04-10
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting via the console interface
Action: Apply Patch
AI Analysis

Impact

OpenStack Skyline contains a DOM‑based Cross‑Site Scripting vulnerability caused by unsafe usage of document.write when rendering console logs. The flaw enables an attacker to inject and execute arbitrary JavaScript within the browser session of a logged‑in administrator, which could lead to credential theft, UI manipulation, or unauthorized actions against the OpenStack services.

Affected Systems

All Skyline releases older than 5.0.1, 6.0.0, and 7.0.0 are affected. Administrators should verify the version running in their environment and plan an update accordingly.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate level of severity. EPSS information is not available and the vulnerability is not included in the CISA KEV catalog. Based on the description, the flaw requires an authenticated administrator who can access the console log view; no publicly available exploits are documented, so the ability to exploit depends on the administrator’s access and the visibility settings of the console.

Generated by OpenCVE AI on April 10, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Skyline 5.0.1, 6.0.0, or 7.0.0 or later, which contains the XSS fix.
  • If an upgrade is not feasible immediately, restrict console log access to trusted administrators only.
  • If console logging is unnecessary, disable or remove the console log view feature to reduce exposure.

Generated by OpenCVE AI on April 10, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title DOM-based Cross‑Site Scripting in OpenStack Skyline Console Logs

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Openstack
Openstack skyline
Vendors & Products Openstack
Openstack skyline

Fri, 10 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Fri, 10 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Description OpenStack Skyline before 5.0.1, 6.0.0, and 7.0.0 has a DOM-based Cross-Site Scripting (XSS) vulnerability in the console because document.write is used unsafely, which is relevant in scenarios where administrators use the console web interface to view instance console logs.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Openstack Skyline
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-10T15:32:11.199Z

Reserved: 2026-04-10T00:00:00.000Z

Link: CVE-2026-40212

cve-icon Vulnrichment

Updated: 2026-04-10T13:49:21.633Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-10T08:16:25.850

Modified: 2026-04-13T15:02:06.187

Link: CVE-2026-40212

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:06:36Z

Weaknesses