Cyber Resilience

CVE-2026-9804

High

Published: 28 May 2026

Published
28 May 2026
Modified
28 May 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0042 33.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-9804 is a high-severity Link Following (CWE-59) vulnerability. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (PVC) that…

more

points outside its designated mount root, the attacker can read arbitrary files from the exporter pod's filesystem. This leads to information disclosure, potentially exposing sensitive data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal via symlink directly enables reading arbitrary files from the pod filesystem, mapping to T1005 Data from Local System for information disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24103Shared CWE-59
CVE-2026-41882Shared CWE-59
CVE-2026-48921Shared CWE-59
CVE-2026-32024Shared CWE-59
CVE-2026-31894Shared CWE-59
CVE-2025-0377Shared CWE-59
CVE-2026-32013Shared CWE-59
CVE-2026-44051Shared CWE-59
CVE-2026-41397Shared CWE-59
CVE-2026-40931Shared CWE-59

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References