GHSA-R2PG-R6H7-CRF3 External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine

Summary The v2 template engine in runtime/template/v2/template.go imports Sprig’s TxtFuncMap and removes env and expandenv, but leaves getHostByName available to user-controlled templates. Because ESO executes templates inside the controller process, an attacker who can create or update templated...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service (CVE-2026-34043)

Summary Node.js module serialize-javascript is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability in...

PT-2026-32571

Name of the Vulnerable Software and Affected Versions External Secrets Operator versions prior to 2.3.0 Description The v2 template engine in runtime/template/v2/template.go removes env and expandenv from TxtFuncMap but leaves the getHostByName function accessible to user-controlled templates...

GHSA-77V3-R3JW-J2V2 vulnerabilities

Vulnerabilities for packages: external-secrets-operator...

CVE-2026-22822 vulnerabilities

Vulnerabilities for packages: external-secrets-operator...

GHSA-HR2V-4R36-88HR vulnerabilities

Vulnerabilities for packages: nova, trivy, eksctl, linkerd2, cert-manager-cmctl, kube-arangodb, chart-testing, helm-push, zot, cerbos, tw, cluster-api-helm-controller, kuma, zarf, envoy-gateway, trivy-operator, helm-mapkubeapis, kubescape, istio, flux, rancher-fleet, kots, pluto, harbor, headlamp...

CVE-2026-35206 vulnerabilities

Vulnerabilities for packages: nova, trivy, eksctl, linkerd2, cert-manager-cmctl, kube-arangodb, chart-testing, helm-push, zot, cerbos, tw, cluster-api-helm-controller, kuma, zarf, envoy-gateway, trivy-operator, helm-mapkubeapis, kubescape, istio, flux, rancher-fleet, kots, pluto, harbor, headlamp...

GHSA-77V3-R3JW-J2V2 vulnerabilities

Vulnerabilities for packages: external-secrets-operator...

CVE-2026-22822 vulnerabilities

Vulnerabilities for packages: external-secrets-operator...

GHSA-HR2V-4R36-88HR vulnerabilities

Vulnerabilities for packages: chartmuseum, headlamp, chartmuseum-fips, k9s-fips, flux, kubescape-server, linkerd2, kubescape-server-fips, pluto-fips, linkerd2-fips, envoy-gateway-fips, kube-arangodb-fips, cloudbeat, trivy, tigera-operator, cerbos-fips, trivy-fips, eksctl, k8ssandra-client-fips,...

CVE-2026-32282 vulnerabilities

Vulnerabilities for packages: gatekeeper, cert-manager, gitlab-pages, kubernetes-dashboard, kyverno, mattermost, kine, datadog-agent, external-secrets-operator, knative-operator, kube-arangodb, zot, k3s, knative-serving, runc, ingress-nginx-controller, prometheus, net-kourier, falco-no-driver,...

GHSA-FV83-X2XW-2J55 vulnerabilities

Vulnerabilities for packages: nova, apko, fluxcd-kustomize-mutating-webhook, external-secrets-operator, goreleaser, aws-network-policy-agent, newrelic-k8s-metadata-injection, sftpgo-plugin-eventsearch, secrets-store-csi-driver-provider-aws, envoy-ratelimit, github-mcp-server,...

CVE-2026-32281 vulnerabilities

Vulnerabilities for packages: trivy, kapp, datadog-agent, caddy, crossplane-provider-azure-managedidentity, http-echo, kube-bench, ingress-nginx-controller, docker-machine-driver-harvester, terraform-provider-azuread, rabbitmq-messaging-topology-operator, kube-state-metrics, git-lfs,...

CVE-2026-32289 vulnerabilities

Vulnerabilities for packages: aws-efs-csi-driver, minio-object-browser, trivy, cert-manager-csi-driver, datadog-agent, contour, nuclei, caddy, cert-manager-cmctl, crossplane-provider-azure-managedidentity, ko, newrelic-infrastructure-agent, docker-credential-gcr, sftpgo-plugin-eventsearch,...

GHSA-7MR4-XJXG-34G6 vulnerabilities

Vulnerabilities for packages: aws-efs-csi-driver, minio-object-browser, trivy, cert-manager-csi-driver, datadog-agent, contour, nuclei, caddy, cert-manager-cmctl, crossplane-provider-azure-managedidentity, ko, newrelic-infrastructure-agent, docker-credential-gcr, sftpgo-plugin-eventsearch,...

CVE-2026-32283 vulnerabilities

Vulnerabilities for packages: trivy, kapp, datadog-agent, caddy, crossplane-provider-azure-managedidentity, http-echo, kube-bench, ingress-nginx-controller, docker-machine-driver-harvester, terraform-provider-azuread, rabbitmq-messaging-topology-operator, kube-state-metrics, git-lfs,...

GHSA-JRG3-GFJW-HM96 vulnerabilities

Vulnerabilities for packages: trivy, kapp, datadog-agent, caddy, crossplane-provider-azure-managedidentity, http-echo, kube-bench, ingress-nginx-controller, docker-machine-driver-harvester, terraform-provider-azuread, rabbitmq-messaging-topology-operator, kube-state-metrics, git-lfs,...

GHSA-FV83-X2XW-2J55 vulnerabilities

Vulnerabilities for packages: nodetaint, temporal, mariadb-operator, nfs-subdir-external-provisioner, flux-image-automation-controller-fips, cilium-certgen-fips, flux-operator, karpenter, smokescreen, secrets-store-csi-driver-provider-aws, local-path-provisioner,...

CVE-2026-33810 vulnerabilities

Vulnerabilities for packages: nodetaint, temporal, mariadb-operator, nfs-subdir-external-provisioner, flux-image-automation-controller-fips, cilium-certgen-fips, flux-operator, karpenter, smokescreen, secrets-store-csi-driver-provider-aws, local-path-provisioner,...

CVE-2026-32288 vulnerabilities

Vulnerabilities for packages: caddy, kubescape-server, gomplate, kube-arangodb-fips, trivy-fips, vault-csi-provider, k8ssandra-client, prometheus-fips, harbor-fips, helm-push, knative-eventing, rke2-runtime, kube-fluentd-operator, cloud-provider-aws, mesosphere-vsphere-csi-fips,...