CLEANSTART-2026-QO29688 Security fixes for CVE-2025-46394, CVE-2025-58183, CVE-2025-58185, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-58251, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725, CVE-2025-61727, CVE-2025-61729, CVE-2025-61732, CVE-2025-68121, CVE-2026-24051, CVE-2026-25679, CVE-2026-27137, CVE-2026-27138, CVE-2026-27139, CVE-2026-27142, CVE-2026-29181, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33186, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-34986, CVE-2026-35469, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-39883, CVE-2026-42499, ghsa-cgrx-mc8f-2prm, ghsa-m6hq-p25p-ffr2, ghsa-pwhc-rpq9-4c8w, ghsa-xmrv-pmrh-hhx2 applied in versions: 1.17.0-r0, 1.17.0-r1, 1.17.2-r0, 1.17.2-r2

Multiple security vulnerabilities affect the velero package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-GB83728 Security fixes for CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33186, CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501 applied in versions: 1.14.0-r0, 1.14.0-r1, 1.14.0-r2

Multiple security vulnerabilities affect the velero-plugin-for-microsoft-azure-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-BS27946 Security fixes for CVE-2025-61726, CVE-2025-61728, CVE-2025-61729, CVE-2025-61730, CVE-2025-68119, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-35469, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-39883, CVE-2026-42499, CVE-2026-42501, ghsa-78h2-9frx-2jm8, ghsa-f6x5-jh6r-wrfv, ghsa-j5w8-q4qc-rx2x, ghsa-pc3f-x583-g7j2, ghsa-xmrv-pmrh-hhx2 applied in versions: 1.16.2-r2, 1.17.2-r0, 1.17.2-r1, 1.18.0-r0, 1.18.0-r1, 1.18.0-r2, 1.18.0-r3

Multiple security vulnerabilities affect the velero-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-BN09969 Security fixes for CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501, ghsa-78h2-9frx-2jm8, ghsa-hfvc-g4fc-pqhx, ghsa-mh2q-q3fh-2475, ghsa-p77j-4mvh-x3m3 applied in versions: 1.14.0-r2

Multiple security vulnerabilities affect the velero-plugin-for-gcp-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

Security Bulletin: IBM App Connect Enterprise Certified Container backup and restore is vulnerable to authorization bypass (CVE-2026-33186)

Summary gRPC-Go is used by the IBM App Connect Enterprise Certified Container Velero image. IBM App Connect Enterprise Certified Container deployments that use Velero for backup and restore are vulnerable to authorization bypass. This bulletin provides patch information to address the reported...

CLEANSTART-2026-WL14185 spdystream is a Go library for multiplexing streams over SPDY connections

Multiple security vulnerabilities affect the velero-fips package. spdystream is a Go library for multiplexing streams over SPDY connections. See references for individual vulnerability details...

CLEANSTART-2026-VN02574 spdystream is a Go library for multiplexing streams over SPDY connections

Multiple security vulnerabilities affect the velero-fips package. spdystream is a Go library for multiplexing streams over SPDY connections. See references for individual vulnerability details...

GHSA-PC3F-X583-G7J2 vulnerabilities

Vulnerabilities for packages: envoy-gateway, k8sgpt-operator, dynamic-localpv-provisioner, jitsucom-bulker, kubernetes, istio, k8ssandra-client, kubescape, zarf, aws-node-termination-handler, juicefs-csi-driver, docker-cli-buildx, kubevela, emissary, argo-workflows, kwok, tigera-operator, kiali,...

CVE-2026-35469 vulnerabilities

Vulnerabilities for packages: envoy-gateway, k8sgpt-operator, dynamic-localpv-provisioner, jitsucom-bulker, kubernetes, istio, k8ssandra-client, kubescape, zarf, aws-node-termination-handler, juicefs-csi-driver, docker-cli-buildx, kubevela, emissary, argo-workflows, kwok, tigera-operator, kiali,...

GHSA-PC3F-X583-G7J2 vulnerabilities

Vulnerabilities for packages: headlamp-fips, envoy-gateway, falcoctl, k9s, kubescape-server-fips, kots, k8ssandra-client-fips, kcp, eck-operator-fips, kcp-0.29, plugin-barman-cloud-fips, gitlab-runner, neuvector, grafana-fips, linkerd2-fips, zarf, velero-fips, kiali-fips, docker-cli-buildx-fips,...

CLEANSTART-2026-FB07695 When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint

Multiple security vulnerabilities affect the velero-fips package. When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. See references for individual vulnerability...

CVE-2026-32281 vulnerabilities

Vulnerabilities for packages: goreleaser, kubernetes-csi-driver-hostpath, newrelic-infrastructure-agent, configmap-reload, conjur-cli, litefs, mods, docker-cli-buildx, azure-service-operator, argo-workflows, aws-flb-cloudwatch, croc, ipfs-cluster, kapp, rancher, cosign, authservice, task,...

GHSA-78H2-9FRX-2JM8 vulnerabilities

Vulnerabilities for packages: skopeo-fips, amazon-ssm-agent-fips, pulumi, tkn-fips, falcoctl, azcopy, k9s, sops-fips, flyte, gotrue-fips, opencost-fips, kiali-fips, containerd, argo-cd-fips, image-factory-fips, crossplane-provider-gcp-fips, reports-server, kyverno-policy-reporter,...

CLEANSTART-2026-JB52011 Security fixes for CVE-2025-47911, CVE-2025-58190, CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, ghsa-p77j-4mvh-x3m3 applied in versions: 1.11.1-r1, 1.11.1-r2

Multiple security vulnerabilities affect the velero-plugin-for-aws package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-DA83816 Security fixes for CVE-2026-33186, ghsa-p77j-4mvh-x3m3 applied in versions: 1.14.0-r0

Multiple security vulnerabilities affect the velero-plugin-for-aws package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-LS12576 Security fixes for CVE-2025-61726, CVE-2025-61728, CVE-2025-61729, CVE-2025-61730, CVE-2025-68119, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, ghsa-f6x5-jh6r-wrfv, ghsa-j5w8-q4qc-rx2x applied in versions: 1.16.2-r2, 1.17.2-r0, 1.17.2-r1, 1.18.0-r0

Multiple security vulnerabilities affect the velero-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-OL25917 excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate

Multiple security vulnerabilities affect the velero package. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. See references for individual vulnerability details...

CLEANSTART-2026-GV62494 excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate

Multiple security vulnerabilities affect the velero package. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. See references for individual vulnerability details...

CLEANSTART-2026-KZ63902 tar

Multiple security vulnerabilities affect the velero-plugin-for-aws package. tar. See references for individual vulnerability details...

CLEANSTART-2026-DI05920 excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate

Multiple security vulnerabilities affect the velero-fips package. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. See references for individual vulnerability details...