CVE-2026-42457: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in loft-sh loft
vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context. In the worst case, a malicious user could potentially create a new Global-Admin user, bypassing other security restrictions. The attacker needs the ability to create namespaces. This vulnerability is fixed in 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0.
AI Analysis
Technical Summary
The loft-sh loft vCluster Platform contains a stored cross-site scripting vulnerability (CWE-79) in the name field of a templateRef. This vulnerability affects versions prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0. An attacker with permission to create namespaces can inject malicious scripts that execute within the platform's browser context. This can lead to privilege escalation, including the creation of a Global-Admin user, circumventing security controls. The vulnerability is rated critical with a CVSS 3.1 score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H). The vendor has released fixed versions to address this issue.
Potential Impact
Exploitation of this vulnerability allows an attacker with namespace creation privileges to execute arbitrary scripts in the platform's browser context, potentially leading to full compromise of the platform's administrative controls by creating a Global-Admin user. This can result in complete loss of confidentiality, integrity, and availability of the affected system. No known exploits have been reported in the wild at this time.
Mitigation Recommendations
This vulnerability is fixed in loft versions 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0. Users should upgrade to one of these versions to remediate the issue. Since the vendor advisory does not provide additional remediation details, patching to a fixed version is the recommended action. Patch status is confirmed by the presence of fixed versions. No alternative mitigations are indicated.
CVE-2026-42457: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in loft-sh loft
Description
vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context. In the worst case, a malicious user could potentially create a new Global-Admin user, bypassing other security restrictions. The attacker needs the ability to create namespaces. This vulnerability is fixed in 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The loft-sh loft vCluster Platform contains a stored cross-site scripting vulnerability (CWE-79) in the name field of a templateRef. This vulnerability affects versions prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0. An attacker with permission to create namespaces can inject malicious scripts that execute within the platform's browser context. This can lead to privilege escalation, including the creation of a Global-Admin user, circumventing security controls. The vulnerability is rated critical with a CVSS 3.1 score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H). The vendor has released fixed versions to address this issue.
Potential Impact
Exploitation of this vulnerability allows an attacker with namespace creation privileges to execute arbitrary scripts in the platform's browser context, potentially leading to full compromise of the platform's administrative controls by creating a Global-Admin user. This can result in complete loss of confidentiality, integrity, and availability of the affected system. No known exploits have been reported in the wild at this time.
Mitigation Recommendations
This vulnerability is fixed in loft versions 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0. Users should upgrade to one of these versions to remediate the issue. Since the vendor advisory does not provide additional remediation details, patching to a fixed version is the recommended action. Patch status is confirmed by the presence of fixed versions. No alternative mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-27T13:55:58.693Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a05e885ec166c07b0eee252
Added to database: 5/14/2026, 3:21:41 PM
Last enriched: 5/14/2026, 3:37:14 PM
Last updated: 5/15/2026, 7:53:26 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.