CVE-2026-40564

Files or Directories Accessible to External Parties, Server-Side Request Forgery SSRF vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses. This lets a user with CR create permissions read files...

CVE-2026-40564 Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator

Files or Directories Accessible to External Parties, Server-Side Request Forgery SSRF vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses. This lets a user with CR create permissions read files...

Improper Link Resolution

kubevirt.io/kubevirt is vulnerable to improper link resolution. The vulnerability is due to lack of verification of whether the launcher-sock is a symlink or regular file, which allows an attacker with control over the virt-launcher pod file system to manipulate file ownership on the host and...

Tekton Pipelines 路径遍历漏洞

Tekton Pipelines is a cloud-native pipeline developed by Tekton Open Source. Versions of Tekton Pipelines prior to 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 contained a path traversal vulnerability. This vulnerability stemmed from issues with the git resolver’s path traversal mechanism, which could...

BIT-FLUX-2022-24877 Improper path handling in kustomization files allows path traversal

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...

AZL-69799 CVE-2025-64433 affecting package kubevirt for versions less than 1.5.3-2

KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod's file system. This issue stems from improper symlink handling when mounting PVC disks into a VM...

Flux2 路径遍历漏洞

kustomize-controller is a Kubernetes operator that specializes in running continuous delivery pipelines for infrastructures and workloads defined with a Kubernetes manifest and assembled using Kustomize. flux2 is a tool from the Cloud Native Computing Foundation that keeps Kubernetes clusters in...

Improper path handling in kustomization files allows path traversal

The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use built-in features and a specially crafted kustomization.yaml to expose sensitive data from the controller’s pod filesystem. In multi-tenancy...

PT-2022-16949 · Unknown +1 · Kustomize-Controller +1

Name of the Vulnerable Software and Affected Versions: kustomize-controller versions prior to 0.24.0 flux2 versions prior to 0.29.0 Description: The issue concerns a Path Traversal vulnerability in the kustomize-controller via a malicious kustomization.yaml file, allowing an attacker to expose...