CVE Watchtower


← Back to CVE List

CVE-2026-25705NVD

Vulnerability Summary

A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code.

* Write to /var/lib/rancher/ to tamper with cluster state.

* If hostPath volumes are mounted, write to the host node filesystem.

* Use this issue to chain with other attack vectors.
Severity Level
HIGH(8.4)
Published Date
May 13, 2026
Last Modified
May 13, 2026
Exploitation Status
No confirmed exploitation yet
EPSS Score (30-Day)
0.01%Probability
Root Weakness (CWE)
Refer to the official MITRE database for detailed architectural specifications regarding this weakness.
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredHigh
User InteractionRequired
ScopeChanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh