OSSA-2026-006: DOM-based XSS in Skyline Console via unsanitized instance console log rendering

Date:

April 09, 2026

CVE:

CVE-2026-40212

Affects

• Skyline-console: <5.0.1, ==6.0.0, ==7.0.0

Description

Myunghyun Lee (Team Open the Window, Stealien SSL 6th) reported a DOM-based Cross-Site Scripting (XSS) vulnerability in Skyline Console. The instance console log viewer rendered log content in a new browser window using document.write() without sanitizing or escaping the output. Deployments where administrators use the Skyline Console web interface to view instance console logs are affected.

Errata

CVE-2026-40212 was assigned by MITRE after publication. If any other CNA has assigned a CVE themselves in the meantime, please reject it so that we don’t end up with duplicates.

Patches

• https://review.opendev.org/982356 (2024.2/dalmatian)

• https://review.opendev.org/982355 (2025.1/epoxy)

• https://review.opendev.org/982350 (2025.2/flamingo)

• https://review.opendev.org/973351 (2026.1/gazpacho)

Credits

• Myunghyun Lee from Team Open the Window, Stealien SSL 6th (CVE-2026-40212)

References

• https://launchpad.net/bugs/2138575

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40212

Notes

• Until upgraded, operators should restrict or avoid use of “View Full Log” for instances where console output may be influenced by untrusted users.

• A CVE request was filed with MITRE on 2026-03-25.

• The fix was merged on the master branch before the stable/2026.1 branch was cut, so no specific stable/2026.1 patch exists. The fix is included in the gazpacho (8.0.0) release.

OSSA History

• 2026-04-10 - Errata 1

• 2026-04-09 - Original Version