4 matches found
CVE-2026-45738
CVE-2026-45738 : Argo CD contains a Stored XSS in link.argocd.argoproj.io/* annotations that can be rendered as anchor href values in the Summary tab, enabling javascript: execution for a higher-privileged user in the origin session when there is application write access. This is fixed in Argo CD...
CVE-2026-45738 Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to 3.2.12, 3.3.10, and 3.4.2, Argo CD users with application write access can set link.argocd.argoproj.io/ annotations whose pipe-separated values are rendered by...
GO-2026-5418 Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation in github.com/argoproj/argo-cd
Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation in github.com/argoproj/argo-cd...
GHSA-H98R-WV3H-FR38 Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation
Summary A user with application write access developer role can set link.argocd.argoproj.io/ annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's URLs section as elements without URL validation. Using the pipe-separator trick Display Text |...