5 matches found
CVE-2026-44245
CVE-2026-44245 affects Kyverno’s policy-reporter-ui where the PropertyCard.vue component uses Vue.js v-html to render non-URL strings, bypassing escaping and allowing stored HTML payloads from Kubernetes PolicyReport.results[].properties to flow into the DOM. The isURL() guard only filters http/h...
CVE-2026-44245 Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses...
CVE-2026-44245 Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses...
Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component
Summary Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flows...
GHSA-Q98M-7W8C-W388 Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component
Summary Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flows...