87 matches found
CVE-2026-55175
Spinnaker CVE-2026-55175 affects Rosco/Kustomize bake operations where unsafe YAML tag processing in rosco manifests can lead to remote code execution on rosco pods. Affected versions are prior to 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 across release lines; fixes are available in 2026.1.1, 20...
CVE-2026-55175 Spinnaker: Improper yaml processing on kustomize bake operations
Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pod...
EUVD-2026-43087
Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pod...
CVE-2026-55175 Spinnaker: Improper yaml processing on kustomize bake operations
Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pod...
PT-2026-57343
Name of the Vulnerable Software and Affected Versions Spinnaker versions prior to 2026.1.1 Spinnaker versions prior to 2026.0.3 Spinnaker versions prior to 2025.4.4 Spinnaker versions prior to 2025.3.4 Description Unsafe YAML tag processing during Kustomize bake operations in rosco manifests can...
GHSA-89GR-R52H-F8RX vulnerabilities
Vulnerabilities for packages: chainloop-cli-fips, podman, crossplane-provider-azure-spring, chezmoi, opentofu-fips, splunk-otel-collector, crossplane-provider-azure-sql, crossplane-provider-azure-operationsmanagement, ollama-fips, tflint, crossplane-aws-provider, crossplane-provider-azure-relay,...
GHSA-W879-237Q-WC7R vulnerabilities
Vulnerabilities for packages: hcloud, podman, steampipe, zarf, caddy, loki, dagger, flux-kustomize-controller, kubernetes, policy-controller, istio, opentofu, grype, kargo, flux-image-automation-controller, crossplane-provider-azure-authorization, eksctl, rancher, chezmoi, falcoctl, tflint,...
GHSA-FV83-X2XW-2J55 vulnerabilities
Vulnerabilities for packages: victoriametrics, pluto, newrelic-k8s-metadata-injection, aws-network-policy-agent, tailscale, ingress-nginx-controller, mountpoint-s3-csi-driver, smarter-device-manager, hubble, flux-notification-controller, flux-image-automation-controller, external-secrets-operator...
CVE-2026-34986 vulnerabilities
Vulnerabilities for packages: step-ca, cert-manager-istio-csr-fips, podman, splunk-otel-collector, envoy-gateway-fips, opentofu, consul, tempo-fips, cloudflared, temporal, weaviate, seaweedfs-fips, falcoctl, cloudprober, gomplate, gitlab-cng, harbor-registry, reports-server, cert-manager-istio-cs...
CLEANSTART-2026-YB46455 Security fixes for CVE-2022-3219, CVE-2025-61732, CVE-2025-68121, CVE-2026-25679, CVE-2026-27137, CVE-2026-27138, CVE-2026-27139, CVE-2026-27142 applied in versions: 5.7.1-r1, 5.7.1-r3
Multiple security vulnerabilities affect the kustomize package. These issues are resolved in later releases. See references for individual vulnerability details...
CLEANSTART-2026-VP44686 Security fixes for CVE-2025-58183, CVE-2025-58185, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725, CVE-2025-61732, CVE-2025-68121 applied in versions: 5.7.1-r0, 5.7.1-r1
Multiple security vulnerabilities affect the kustomize-fips package. These issues are resolved in later releases. See references for individual vulnerability details...
CVE-2026-27141 vulnerabilities
Vulnerabilities for packages: cloud-sql-proxy, goose, helm-diff-fips, crossplane-provider-aws-backup, chezmoi, crossplane-provider-aws-acm, splunk-otel-collector, crossplane-provider-aws-route53-fips, grafana-mimir, ollama-fips, apm-server-fips, traefik-fips, crossplane-provider-aws-cloudfront,...
GHSA-8FJ7-8H3W-XWFM vulnerabilities
Vulnerabilities for packages: cloud-sql-proxy, goose, helm-diff-fips, crossplane-provider-aws-backup, chezmoi, crossplane-provider-aws-acm, splunk-otel-collector, crossplane-provider-aws-route53-fips, grafana-mimir, ollama-fips, apm-server-fips, traefik-fips, crossplane-provider-aws-cloudfront,...
GHSA-Q9HV-HPM4-HJ6X vulnerabilities
Vulnerabilities for packages: zarf, dagger, terraform-provider-pagerduty, flux-kustomize-controller, policy-controller, opentofu, grype, q, flux-image-automation-controller, crossplane-provider-azure-authorization, crossplane-provider-aws-iam, crossplane-provider-aws-kinesis, argo-cd,...
CVE-2026-1229 vulnerabilities
Vulnerabilities for packages: zarf, dagger, terraform-provider-pagerduty, flux-kustomize-controller, policy-controller, opentofu, grype, q, flux-image-automation-controller, crossplane-provider-azure-authorization, crossplane-provider-aws-iam, crossplane-provider-aws-kinesis, argo-cd,...
CVE-2026-1229 vulnerabilities
Vulnerabilities for packages: helm-diff-fips, opentofu-fips, crossplane-provider-aws-route53-fips, crossplane-provider-azure-sql, opentofu, scorecard, nfpm, crossplane-provider-aws-cloudfront, helm-diff, terraform-fips, crossplane-provider-azure-authorization, ratify-fips, cluster-api,...
GHSA-FW7P-63QQ-7HPR vulnerabilities
Vulnerabilities for packages: step-ca, chezmoi, splunk-otel-collector, envoy-gateway-fips, sftpgo, ratify-fips, rekor, ory-kratos, croc, rekor-fips, tailscale, temporal, kine, percona-xtradb-cluster-operator, beats-fips, openbao, seaweedfs-fips, nri-mysql-fips, beats, minio,...
EUVD-2026-2097
Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository...
Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository
Summary The user-provided chart name in the kustomize manager is appended to the helm pull --untar command without proper sanitization. Details Adversaries can provide a maliciously crafted kustomization.yaml in conjunction with a Helm repo's index.yaml file to trick Renovate to execute arbitrary...
GHSA-XV56-3WQ5-9997 Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository
Summary The user-provided chart name in the kustomize manager is appended to the helm pull --untar command without proper sanitization. Details Adversaries can provide a maliciously crafted kustomization.yaml in conjunction with a Helm repo's index.yaml file to trick Renovate to execute arbitrary...