Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-25705

Summary
Assigner-suse
Assigner Org ID-404e59f5-483d-4b8a-8e7a-e67604dd8afb
Published At-13 May, 2026 | 08:00
Updated At-14 May, 2026 | 03:55
Rejected At-
Credits

Rancher Extensions have arbitrary file access via path traversal

A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code. * Write to /var/lib/rancher/ to tamper with cluster state. * If hostPath volumes are mounted, write to the host node filesystem. * Use this issue to chain with other attack vectors.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:suse
Assigner Org ID:404e59f5-483d-4b8a-8e7a-e67604dd8afb
Published At:13 May, 2026 | 08:00
Updated At:14 May, 2026 | 03:55
Rejected At:
▼CVE Numbering Authority (CNA)
Rancher Extensions have arbitrary file access via path traversal

A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code. * Write to /var/lib/rancher/ to tamper with cluster state. * If hostPath volumes are mounted, write to the host node filesystem. * Use this issue to chain with other attack vectors.

Affected Products
Vendor
SUSESUSE
Product
rancher
Package Name
github.com/rancher/rancher
Default Status
unaffected
Versions
Affected
  • From 2.14.0 before 2.14.1 (semver)
  • From 2.13.0 before 2.13.5 (semver)
  • From 2.12.0 before 2.12.9 (semver)
  • From 2.10.11 before 2.11.13 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-35CWE-35 Path traversal: '.../...//'
Type: CWE
CWE ID: CWE-35
Description: CWE-35 Path traversal: '.../...//'
Metrics
VersionBase scoreBase severityVector
3.18.4HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 8.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
https://github.com/KoreaSecurity
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25705
N/A
https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35
N/A
Hyperlink: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25705
Resource: N/A
Hyperlink: https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:meissner@suse.de
Published At:13 May, 2026 | 08:16
Updated At:13 May, 2026 | 15:35

A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code. * Write to /var/lib/rancher/ to tamper with cluster state. * If hostPath volumes are mounted, write to the host node filesystem. * Use this issue to chain with other attack vectors.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.4HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-35Primarymeissner@suse.de
CWE ID: CWE-35
Type: Primary
Source: meissner@suse.de
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25705meissner@suse.de
N/A
https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35meissner@suse.de
N/A
Hyperlink: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25705
Source: meissner@suse.de
Resource: N/A
Hyperlink: https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35
Source: meissner@suse.de
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2022-43760
Matching Score-8
Assigner-SUSE
ShareView Details
Matching Score-8
Assigner-SUSE
CVSS Score-8.4||HIGH
EPSS-1.42% / 80.78%
||
7 Day CHG~0.00%
Published-01 Jun, 2023 | 12:56
Updated-09 Jan, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is executed within another user's browser, allowing the attacker to steal sensitive information, manipulate web content, or perform other malicious activities on behalf of the victims. This could result in a user with write access to the affected areas being able to act on behalf of an administrator, once an administrator opens the affected web page. This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.

Action-Not Available
Vendor-SUSE
Product-rancherRancher
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-22649
Matching Score-8
Assigner-SUSE
ShareView Details
Matching Score-8
Assigner-SUSE
CVSS Score-8.4||HIGH
EPSS-45.19% / 97.64%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 07:46
Updated-30 Oct, 2024 | 21:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rancher 'Audit Log' leaks sensitive information

A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log) is an opt-in feature, only deployments that have it enabled and have [AUDIT_LEVEL](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#audit-log-levels) set to `1 or above` are impacted by this issue.

Action-Not Available
Vendor-rancherSUSE
Product-rancherrancherrancher
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2025-53880
Matching Score-6
Assigner-SUSE
ShareView Details
Matching Score-6
Assigner-SUSE
CVSS Score-8.7||HIGH
EPSS-0.43% / 63.00%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 10:31
Updated-26 Feb, 2026 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
susemanager-tftpsync-recv allows arbitrary file creation and deletion due to path traversal

A Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restricted to a list of allowed IP addresses.

Action-Not Available
Vendor-SUSE
Product-SUSE Manager Proxy LTS 4.3Container suse/multi-linux-manager/5.1/x86_64/proxy-httpd:latestContainer suse/manager/4.3/proxy-httpd:latestContainer suse/manager/5.0/x86_64/proxy-httpd:latest
CWE ID-CWE-35
Path Traversal: '.../...//'
Details not found