GHSA-W2H3-VVVQ-3M53 vulnerabilities

Vulnerabilities for packages: tekton-pipelines, tekton-pipelines-fips...

CVE-2023-37264 vulnerabilities

Vulnerabilities for packages: tekton-pipelines, tekton-pipelines-fips...

GHSA-W2H3-VVVQ-3M53 vulnerabilities

Vulnerabilities for packages: tekton-pipelines...

CVE-2023-37264 vulnerabilities

Vulnerabilities for packages: tekton-pipelines...

CLEANSTART-2026-HU33730 Security fixes for CVE-2025-61726, CVE-2025-61727, CVE-2025-61728, CVE-2025-61729, CVE-2025-61730, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, CVE-2026-34986, CVE-2026-39882, ghsa-78h2-9frx-2jm8, ghsa-9h8m-3fm2-qjrq, ghsa-f6x5-jh6r-wrfv, ghsa-fcv2-xgw5-pqxf, ghsa-j5w8-q4qc-rx2x, ghsa-p436-gjf2-799p, ghsa-p77j-4mvh-x3m3, ghsa-w8rr-5gcm-pp58 applied in versions: 1.10.2-r0, 1.5.0-r0, 1.5.0-r1, 1.5.0-r2, 1.5.0-r3, 1.5.0-r4

Multiple security vulnerabilities affect the tekton-pipelines package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-UG89030 Security fixes for CVE-2025-61726, CVE-2025-61727, CVE-2025-61728, CVE-2025-61729, CVE-2025-61730, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-34986, CVE-2026-39882, ghsa-78h2-9frx-2jm8, ghsa-9h8m-3fm2-qjrq, ghsa-f6x5-jh6r-wrfv, ghsa-fcv2-xgw5-pqxf, ghsa-j5w8-q4qc-rx2x, ghsa-p436-gjf2-799p, ghsa-w8rr-5gcm-pp58 applied in versions: 1.11.0-r0, 1.5.0-r0, 1.5.0-r1, 1.5.0-r2, 1.5.0-r3, 1.5.0-r4

Multiple security vulnerabilities affect the tekton-pipelines package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-CI59834 Security fixes for CVE-2025-15558, CVE-2025-61726, CVE-2025-61727, CVE-2025-61728, CVE-2025-61729, CVE-2025-61730, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, CVE-2026-34986, CVE-2026-39882, CVE-2026-39883, ghsa-78h2-9frx-2jm8, ghsa-9h8m-3fm2-qjrq, ghsa-f6x5-jh6r-wrfv, ghsa-fcv2-xgw5-pqxf, ghsa-hfvc-g4fc-pqhx, ghsa-j5w8-q4qc-rx2x, ghsa-mh2q-q3fh-2475, ghsa-p436-gjf2-799p, ghsa-p77j-4mvh-x3m3, ghsa-w8rr-5gcm-pp58 applied in versions: 1.5.0-r0, 1.5.0-r1, 1.5.0-r2, 1.5.0-r3, 1.5.0-r4, 1.7.0-r0

Multiple security vulnerabilities affect the tekton-pipelines package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-CZ07385 Docker CLI for Windows searches for plugin binaries in C:\\\\\\\\ProgramData\\\\\\\\Docker\\\\\\\\cli-plugins, a directory that does not exist by default

Multiple security vulnerabilities affect the tekton-pipelines-fips package. Docker CLI for Windows searches for plugin binaries in C:\\\\ProgramData\\\\Docker\\\\cli-plugins, a directory that does not exist by default. See references for individual vulnerability details...

CLEANSTART-2026-FU04414 Docker CLI for Windows searches for plugin binaries in C:\\\\\\\\ProgramData\\\\\\\\Docker\\\\\\\\cli-plugins, a directory that does not exist by default

Multiple security vulnerabilities affect the tekton-pipelines-fips package. Docker CLI for Windows searches for plugin binaries in C:\\\\ProgramData\\\\Docker\\\\cli-plugins, a directory that does not exist by default. See references for individual vulnerability details...

CLEANSTART-2026-FK30234 Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web To...

Multiple security vulnerabilities affect the tekton-pipelines-fips package. Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. See...

CVE-2026-40924

A flaw was found in Tekton Pipelines. A local user with specific permissions to create TaskRuns or PipelineRuns can exploit this by directing the HTTP resolver to an attacker-controlled server. This server can return a very large response body, leading to the tekton-pipelines-resolvers pod...

CVE-2026-40923

A flaw was found in Tekton Pipelines. An attacker can bypass restrictions on where volumes can be mounted by using specially crafted paths that include directory traversal sequences e.g., ... This vulnerability, stemming from an incomplete path validation check, could allow unauthorized access to...

CVE-2026-40161

A flaw was found in Tekton Pipelines. A tenant with permissions to create TaskRun or PipelineRun resources can exploit this vulnerability. By omitting the Git API token parameter and pointing the serverURL to an attacker-controlled endpoint, the system-configured Git API token such as a GitHub...

SUSE CVE-2026-25542

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.43.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, trusted resources verification policies match a resource source string refSource.URI against spec.resources.pattern...

SUSE CVE-2026-40161

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL...

SUSE CVE-2026-40923

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal pat...

SUSE CVE-2026-40924

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAllresp.Body with no response body size limit. Any tenant...

SUSE CVE-2026-40938

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation...

CVE-2026-25542

A flaw was found in Tekton Pipelines. An attacker can bypass trusted resource verification policies by crafting a malicious source string that contains a trusted pattern as a substring. This is due to the regexp.MatchString function in Go matching patterns anywhere within a string, rather than...

CVE-2026-40938

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation...