CVE-2026-42457 - Vulnerability Analysis
CriticalCVSS: 9.0Last Updated: May 14, 2026
vCluster Platform - Stored XSS & Privilege Escalation
Overview
vCluster Platform < 4.4.3, 4.5.5, 4.6.2, 4.7.1, 4.8.0 contains a stored XSS caused by improper sanitization of the name field in templateRef, letting attackers execute arbitrary scripts and create Global-Admin users, exploit requires namespace creation ability.
Severity & Score
Impact
Malicious users can execute scripts and create Global-Admin users, bypassing security restrictions and fully compromising the platform.
Mitigation
Update to versions 4.4.3, 4.5.5, 4.6.2, 4.7.1, or 4.8.0 or later.
Social Media Activity(2 posts)
š“ CVE-2026-42457 - Critical (9) vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. Thi... š https://www.thehackerwire.com/vulnerability/CVE-2026-42457/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-42457 - Critical (9) vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. Thi... š https://www.thehackerwire.com/vulnerability/CVE-2026-42457/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-42457
- Severity
- Critical
- CVSS Score
- 9.0
- Type
- stored_xss
- Status
- rejected
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H