==============================================================================================
OSSA-2026-006: DOM-based XSS in Skyline Console via unsanitized instance console log rendering
==============================================================================================

:Date: April 09, 2026
:CVE: CVE-2026-40212


Affects
~~~~~~~
- Skyline-console: <5.0.1, ==6.0.0, ==7.0.0


Description
~~~~~~~~~~~
Myunghyun Lee (Team Open the Window, Stealien SSL 6th) reported a DOM-based Cross-Site Scripting (XSS) vulnerability in Skyline Console. The instance console log viewer rendered log content in a new browser window using document.write() without sanitizing or escaping the output. Deployments where administrators use the Skyline Console web interface to view instance console logs are affected.



Errata
~~~~~~
CVE-2026-40212 was assigned by MITRE after publication. If any other CNA has assigned a CVE themselves in the meantime, please reject it so that we don't end up with duplicates.



Patches
~~~~~~~
- https://review.opendev.org/982356 (2024.2/dalmatian)
- https://review.opendev.org/982355 (2025.1/epoxy)
- https://review.opendev.org/982350 (2025.2/flamingo)
- https://review.opendev.org/973351 (2026.1/gazpacho)


Credits
~~~~~~~
- Myunghyun Lee from Team Open the Window, Stealien SSL 6th (CVE-2026-40212)


References
~~~~~~~~~~
- https://launchpad.net/bugs/2138575
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40212


Notes
~~~~~
- Until upgraded, operators should restrict or avoid use of "View Full
  Log" for instances where console output may be influenced by untrusted
  users.
- A CVE request was filed with MITRE on 2026-03-25.
- The fix was merged on the master branch before the stable/2026.1
  branch was cut, so no specific stable/2026.1 patch exists. The fix is
  included in the gazpacho (8.0.0) release.


OSSA History
~~~~~~~~~~~~
- 2026-04-10 - Errata 1
- 2026-04-09 - Original Version