A critical XSS vulnerability in the vCluster Platform allows an attacker to execute arbitrary scripts and potentially escalate to Global-Admin privileges.

The platform fails to sanitize the name field of a templateRef, allowing an attacker with namespace creation permissions to inject malicious scripts that execute in the browser context of other users.

This flaw can be leveraged to compromise administrative sessions, potentially leading to the creation of new Global-Admin users. With a CVSS score of 9.0, this represents a major threat to the multi-tenant security architecture of the Kubernetes platform.

Immediate Action: Upgrade the vCluster Platform to the versions listed in the advisory (4.4.3, 4.5.5, 4.6.2, 4.7.1, or 4.8.0).

Proactive Monitoring: Audit platform logs for suspicious activity within the template management UI and monitor for unauthorized creation of administrative accounts.

Compensating Controls: Implement strict RBAC policies to limit the number of users with namespace creation privileges until the platform can be patched.

Public Exploit Available: No

The potential for privilege escalation makes this a high-priority update. Platform administrators must apply the security patches immediately to maintain the integrity of their multi-tenancy environment.