CVE-2026-25705

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
13/05/2026
Last modified:
13/05/2026

Description

A vulnerability has been identified in [Rancher&amp;#39;s Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code.<br /> <br /> * Write to /var/lib/rancher/ to tamper with cluster state.<br /> <br /> * If hostPath volumes are mounted, write to the host node filesystem.<br /> <br /> * Use this issue to chain with other attack vectors.