Description
Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/goharbor/harbor/security/advisories/GHSA-f9vc-vf3r-pqqq
Patch x_refsource_misc
https://github.com/goharbor/harbor/commit/76c2c5f7cfd9edb356cbb373889a59cc3217a058
Patch x_refsource_misc
https://github.com/goharbor/harbor/commit/a13a16383a41a8e20f524593cb290dc52f86f088
Scores
CVSS v3
4.1
EPSS
0.0005
EPSS Percentile
16.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (4)
goharbor/harbor
2.12.0-rc1 - 2.12.4-rc1Go
goharbor/harbor
<= 2.4.0-rc1.1, < 2.11.3
goharbor/harbor
>= 2.12.0-rc1, < 2.12.4-rc1
goharbor/harbor
>= 2.13.0-rc1, < 2.13.1-rc1
Published
Jul 23, 2025
Tracked Since
Feb 18, 2026