Lucene search
+L

7 matches found

Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-45738 Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to 3.2.12, 3.3.10, and 3.4.2, Argo CD users with application write access can set link.argocd.argoproj.io/ annotations whose pipe-separated values are rendered by...

7.3CVSS0.00312EPSS
Exploits0References7
OSV
OSV
added 4 days ago3 views

CVE-2026-45738 Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to 3.2.12, 3.3.10, and 3.4.2, Argo CD users with application write access can set link.argocd.argoproj.io/ annotations whose pipe-separated values are rendered by...

7.3CVSS6.2AI score0.00312EPSS
Exploits0References9
CVE
CVE
added 4 days ago15 views

CVE-2026-45738

CVE-2026-45738 : Argo CD contains a Stored XSS in link.argocd.argoproj.io/* annotations that can be rendered as anchor href values in the Summary tab, enabling javascript: execution for a higher-privileged user in the origin session when there is application write access. This is fixed in Argo CD...

7.3CVSS6.2AI score0.00312EPSS
Exploits0References7
OSV
OSV
added 2026/06/25 10:34 p.m.6 views

GO-2026-5418 Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation in github.com/argoproj/argo-cd

Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation in github.com/argoproj/argo-cd...

7.3CVSS5.8AI score0.00312EPSS
Exploits0References1
Veracode
Veracode
added 2026/05/23 5:51 a.m.6 views

Cross-Site Scripting (XSS)

github.com/argoproj/argo-cd is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper URL validation in link.argocd.argoproj.io/ annotations, which allows an attacker with developer-level access to inject a javascript: URI using the pipe-separator trick and execute arbitrary...

7.3CVSS6.1AI score0.00312EPSS
Exploits0References8Affected Software3
OSV
OSV
added 2026/05/19 3:54 p.m.23 views

GHSA-H98R-WV3H-FR38 Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation

Summary A user with application write access developer role can set link.argocd.argoproj.io/ annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's URLs section as elements without URL validation. Using the pipe-separator trick Display Text |...

7.3CVSS6AI score0.00312EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/19 3:54 p.m.16 views

Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation

Summary A user with application write access developer role can set link.argocd.argoproj.io/ annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's URLs section as elements without URL validation. Using the pipe-separator trick Display Text |...

7.3CVSS6AI score0.00312EPSS
Exploits0References2Affected Software3
Rows per page
Query Builder