cbcvebase.
CVE-2026-25681
published 2026-05-22

CVE-2026-25681: Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications…

PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.18%
7.6th percentile
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected

480 ranges· showing 25
VendorProductVersion rangeFixed in
3scale-amp23scale-operator-bundle
3scale-amp23scale-rhel7-operator
3scale-amp23scale-rhel9-operator
advanced-cluster-securityrhacs-main-rhel8
advanced-cluster-securityrhacs-rhel8-operator
advanced-cluster-securityrhacs-roxctl-rhel8
advanced-cluster-securityrhacs-scanner-rhel8
advanced-cluster-securityrhacs-scanner-slim-rhel8
advanced-cluster-securityrhacs-scanner-v4-rhel8
ansible-automation-platform-26receptor-rhel9
assistedagent-preinstall-image-builder-rhel9
cert-managercert-manager-istio-csr-rhel9
cert-managercert-manager-trust-manager-rhel9
cert-managerjetstack-cert-manager-acmesolver-rhel9
cert-managerjetstack-cert-manager-rhel9
cnv-tech-previewmultus-cni
complianceopenshift-compliance-must-gather-rhel8
complianceopenshift-compliance-openscap-rhel8
complianceopenshift-compliance-operator-bundle
complianceopenshift-compliance-rhel8-operator
complianceopenshift-selinuxd-rhel10
complianceopenshift-selinuxd-rhel8
complianceopenshift-selinuxd-rhel9
container-native-virtualizationhyperconverged-cluster-operator-rhel9
container-native-virtualizationhyperconverged-cluster-webhook-rhel9

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvelistv5v3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.