Kyverno Security Alert: CVE-2026-32289 Exposes XSS Risk in Template Literal Handling

A medium-severity vulnerability, CVE-2026-32289, has been identified within the Kyverno project, exposing a potential path to cross-site scripting (XSS) attacks. The core flaw resides in the engine's handling of JavaScript template literals, where context tracking fails across template branches. This failure, combined with improper tracking of brace depth for template actions, can lead to the incorrect or improper escaping of content. The result is that actions within JS template literals may not be sanitized as intended, creating a direct injection risk.

The vulnerability is confirmed to affect multiple active branches of the Kyverno codebase, including the primary `main` branch as well as the `release-1.16` and `release-1.17` release lines. The issue is documented under GitHub's code scanning alert ID 2340, linking directly to the security advisory. This is not a theoretical flaw but a concrete implementation bug that could allow malicious input to bypass expected security controls, turning a trusted templating feature into a potential attack vector.

The presence of this vulnerability in core release branches signals a systemic code safety issue that requires immediate patching for all deployments. For organizations using Kyverno for Kubernetes policy management, the risk extends to any environment where policies utilizing these template literals are applied. The exposure underscores the persistent challenge of secure context tracking in complex templating systems and places pressure on maintainers and downstream users to validate their deployments against this specific CVE.