CVE-2026-13083

Summary

A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Workarounds

The following practices would help for avoiding exposure and mitigate this flaw:

  • Upgrade Pen Drive to version 1.0.0-2 or later, which reportedly contains the fix.
  • Until upgraded, review HTML reports generated by Pen Drive before opening them in a browser, or open them in a sandboxed browser environment.
  • If using must-gather archives from untrusted sources, validate the archive content before feeding it to Pen Drive.
  • Consider opening Pen Drive reports with JavaScript disabled in the browser.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References