Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component — CVE-2026-44245
GitHub · GitHub · CVE-2026-44245
ID
CVE-2026-44245
CVE-2026-44245
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
6.1
6.1
EPSS
0.00029
0.00029
Summary
### Summary Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that {{ }} interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flows directly into the DOM as HTML. The isURL() guard only filters values that parse as http: or https: URLs, so any HTML…
Product
go: github.com/kyverno/policy-reporter-ui
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.