BIT-SEALED-SECRETS-2026-22728 Bitnami Sealed Secrets /v1/rotate can widen sealing scope to cluster-wide via attacker-controlled template annotations

Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation /v1/rotate flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By submitting a victim...

EUVD-2024-2846

Malicious code in bioql PyPI...

GO-2025-3885 External Secrets Operator's Missing Namespace Restriction Allows Unauthorized Secret Access in github.com/external-secrets/external-secrets

External Secrets Operator's Missing Namespace Restriction Allows Unauthorized Secret Access in github.com/external-secrets/external-secrets...

External Secrets Operator's Missing Namespace Restriction Allows Unauthorized Secret Access

Summary A vulnerability was discovered in the External Secrets Operator where the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector. This flaw allowed an attacker to use label selectors to list and read...

GHSA-FCXQ-V2R3-CC8H External Secrets Operator's Missing Namespace Restriction Allows Unauthorized Secret Access

Summary A vulnerability was discovered in the External Secrets Operator where the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector. This flaw allowed an attacker to use label selectors to list and read...

PT-2024-33271 · Kyverno +1 · Kyverno +1

Name of the Vulnerable Software and Affected Versions: Kyverno versions prior to 1.13.0 Description: A kyverno ClusterPolicy can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace, which may allow users with...

GO-2023-2080 Cilium vulnerable to bypass of namespace restrictions in CiliumNetworkPolicy in github.com/cilium/cilium

Cilium vulnerable to bypass of namespace restrictions in CiliumNetworkPolicy in github.com/cilium/cilium...

USN-6424-1 ruby-kramdown vulnerability

It was discovered that kramdown did not restrict Rouge formatters to the correct namespace. An attacker could use this issue to cause kramdown to execute arbitrary code...

CVE-2023-3027

The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically obtained values instead of the policy apply a static manifest on a managed cluster of taking advantage of cluster scoped access in a created policy. This feature...

Code injection

The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically obtained values instead of the policy apply a static manifest on a managed cluster of taking advantage of cluster scoped access in a created policy. This feature...

CVE-2023-3027

The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically obtained values instead of the policy apply a static manifest on a managed cluster of taking advantage of cluster scoped access in a created policy. This feature...

PT-2023-22620 · Unknown · Grc-Policy-Propagator

Name of the Vulnerable Software and Affected Versions: grc-policy-propagator affected versions not specified Description: The issue allows security escalation within the cluster. It is related to policies that contain dynamically obtained values, which can take advantage of cluster scoped access ...

CVE-2021-43784

CVE-2021-43784 affects runc prior to 1.0.3, where a 16‑bit length field overflow in netlink bytemsg allowed an attacker who can influence container configuration to have the parsed payload override netlink-based container configuration and disable namespaces. Impact: potential namespace bypass by...