HTML Injection Vulnerability in Kyverno Policy Engine
CVE-2026-44245

6.1MEDIUM

Key Information:

Vendor: Kyverno
Status: Kyverno
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-44245?

The Kyverno policy engine contains a vulnerability due to its use of Vue 3's v-html directive, which bypasses auto-escaping mechanisms. This flaw allows arbitrary HTML to be injected into the DOM from non-URL string values, potentially leading to security risks. The issue affects the PropertyCard.vue component, which uses non-secure input from PolicyReports, allowing any user with write access to manipulate HTML output. This vulnerability has been addressed in version 2.5.2.

Affected Version(s)

kyverno < 2.5.2

References

https://github.com/kyverno/kyverno/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44245 Data

JSON