VYPR
High severity8.4GHSA Advisory· Published May 13, 2026· Updated May 13, 2026

CVE-2026-25705

CVE-2026-25705

Description

A vulnerability has been identified in Rancher's Extensions where malicious code can be injected in Rancher through a path traversal in the compressedEndpoint field inside a UIPlugin deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code.

  • Write to /var/lib/rancher/ to tamper with cluster state.
  • If hostPath volumes are mounted, write to the host node filesystem.
  • Use this issue to chain with other attack vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/rancher/rancherGo
>= 2.14.0, < 2.14.12.14.1
github.com/rancher/rancherGo
>= 2.13.0, < 2.13.52.13.5
github.com/rancher/rancherGo
>= 2.12.0, < 2.12.92.12.9
github.com/rancher/rancherGo
>= 2.10.11, < 2.11.132.11.13

Affected products

1

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.