oss-sec mailing list archives

[OSSA-2026-006] OpenStack Skyline: DOM-based XSS in Skyline Console via unsanitized instance console log rendering (CVE-2026-pending)

From: Goutham Pacha Ravi <gouthampravi () gmail com>
Date: Thu, 9 Apr 2026 14:10:24 -0700

==============================================================================================
OSSA-2026-006: DOM-based XSS in Skyline Console via unsanitized instance console log rendering
==============================================================================================

:Date: April 09, 2026
:CVE: CVE-2026-pending


Affects
~~~~~~~
- Skyline-console: <5.0.1, ==6.0.0, ==7.0.0


Description
~~~~~~~~~~~
Myunghyun Lee (Team Open the Window, Stealien SSL 6th) reported a DOM-based Cross-Site Scripting (XSS) vulnerability in 
Skyline Console. The instance console log viewer rendered log content in a new browser window using document.write() 
without sanitizing or escaping the output. Deployments where administrators use the Skyline Console web interface to 
view instance console logs are affected.



Patches
~~~~~~~
-https://review.opendev.org/982356 (2024.2/dalmatian)
-https://review.opendev.org/982355 (2025.1/epoxy)
-https://review.opendev.org/982350 (2025.2/flamingo)
-https://review.opendev.org/973351 (2026.1/gazpacho)


Credits
~~~~~~~
- Myunghyun Lee from Team Open the Window, Stealien SSL 6th (CVE-2026-pending)


References
~~~~~~~~~~
-https://launchpad.net/bugs/2138575
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-pending


Notes
~~~~~
- Until upgraded, operators should restrict or avoid use of "View Full
  Log" for instances where console output may be influenced by untrusted
  users.
- A CVE request was filed with MITRE on 2026-03-25.
- The fix was merged on the master branch before the stable/2026.1
  branch was cut, so no specific stable/2026.1 patch exists. The fix is
  included in the gazpacho (8.0.0) release.

--
Goutham Pacha Ravi (gouthamr)
OpenStack Vulnerability Management Team

Attachment: OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Current thread:

[OSSA-2026-006] OpenStack Skyline: DOM-based XSS in Skyline Console via unsanitized instance console log rendering (CVE-2026-pending) Goutham Pacha Ravi (Apr 09)