GHSA-W879-237Q-WC7R vulnerabilities

Vulnerabilities for packages: steampipe, guac, sops, loki, ko, containerd, wal-g, gptscript, chisel, eksctl, opentelemetry-collector, step, policy-controller, argo-events, caddy, syft, fscrypt, witness, crossplane-provider-azure-managedidentity, pulumi-language-dotnet, kyverno, rancher, terragrun...

CVE-2026-34986 vulnerabilities

Vulnerabilities for packages: gitlab-runner-fips, livekit-server, undock, velero-plugin-for-gcp-fips, harbor, vitess, falcosidekick-fips, kubescape-operator-fips, skopeo, splunk-otel-collector-fips, consul-k8s-fips, prometheus-podman-exporter, cert-manager, terragrunt-fips, dapr, containerd,...

GHSA-Q9HV-HPM4-HJ6X vulnerabilities

Vulnerabilities for packages: guac, sops, wal-g, gptscript, vcluster, crossplane-provider-aws-rds, trufflehog, policy-controller, argo-events, syft, crossplane-provider-aws-sqs, witness, crossplane-provider-azure-managedidentity, kubevela, pulumi-language-dotnet, kyverno,...

CVE-2026-1229 vulnerabilities

Vulnerabilities for packages: guac, sops, wal-g, gptscript, vcluster, crossplane-provider-aws-rds, trufflehog, policy-controller, argo-events, syft, crossplane-provider-aws-sqs, witness, crossplane-provider-azure-managedidentity, kubevela, pulumi-language-dotnet, kyverno,...

CVE-2026-1229 vulnerabilities

Vulnerabilities for packages: flux, gitlab-operator, cerbos, gitlab-runner-fips, trivy-operator-fips, crossplane-provider-aws-lambda, vault-fips, datadog-agent-fips, flux-source-controller-fips, kyverno-fips, amazon-ssm-agent-fips, grype-fips, crossplane-provider-aws-sqs-fips,...

BIT-FLUX-2022-24878 Improper path handling in Kustomization files allows for denial of service

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to...

BIT-FLUX-2022-24877 Improper path handling in kustomization files allows path traversal

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...

BIT-FLUX-2022-24817 Improper kubeconfig validation allows arbitrary code execution

Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also...

EUVD-2022-3043

Malicious code in bioql PyPI...

GHSA-J5PM-7495-QMR3 vulnerabilities

Vulnerabilities for packages: cloudnative-pg-fips, nfs-subdir-external-provisioner, kube-logging-operator, kubelet-csr-approver-fips, tofu-controller, undock, crossplane-provider-sql, harbor, docker-cli, crossplane-provider-sql-fips, kubescape-operator-fips, azure-aad-pod-identity-mic,...

CVE-2022-24877

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...

GHSA-32GQ-X56H-299C vulnerabilities

Vulnerabilities for packages: litestream, age, chezmoi, grafana-fips, sops, age-fips, flux-kustomize-controller, sops-fips, ksops, flux-kustomize-controller-fips, grafana...

GO-2022-0260 Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller

Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller...

CVE-2024-35255 vulnerabilities

Vulnerabilities for packages: sqlpad, guac, prometheus-operator, sops, trino, ksops, bank-vaults, thanos, wal-g, zarf, goreleaser, fulcio, velero, py3-cassandra-medusa, grafana-mimir, flux-image-reflector-controller, opentelemetry-collector, py3-azure-identity, step, step-ca, tkn, restic,...

BIT-KUSTOMIZE-2022-24877 Improper path handling in kustomization files allows path traversal

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...

BIT-KUSTOMIZE-2022-24878 Improper path handling in Kustomization files allows for denial of service

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to...

CVE-2024-24786 vulnerabilities

Vulnerabilities for packages: crossplane-provider-aws-lambda, nfs-subdir-external-provisioner, kube-logging-operator, clusterctl, vertical-pod-autoscaler, falcosidekick-fips, azure-aad-pod-identity-mic, skopeo, cass-operator, atlantis-fips, cert-manager, crossplane-provider-aws-cloudformation,...

GHSA-M425-MQ94-257G vulnerabilities

Vulnerabilities for packages: cluster-autoscaler-fips, kiam, kube-oidc-proxy, prometheus-stackdriver-exporter, bank-vaults-fips, kubevela, smarter-device-manager-fips, terraform-provider-sendgrid, dgraph, terraform-provider-sendgrid-fips, kubescape, prometheus-blackbox-exporter, k3d,...

GHSA-QPPJ-FM5R-HXR3 vulnerabilities

Vulnerabilities for packages: nodetaint, ko, bom, dex, node-problem-detector, wireguard-go, frp, envoy-ratelimit, kind, aws-efs-csi-driver, ip-masq-agent, secrets-store-csi-driver, kubevela, pulumi-language-dotnet, stakater-reloader, kpt, nghttp2, prometheus-adapter, cortex, ollama,...

Improper path handling in Kustomization files allows for denial of service

The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use a specially crafted kustomization.yaml to cause Denial of Service at controller level. In multi-tenancy deployments this can lead to multiple...