74 matches found
EUVD-2026-22814
Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write...
PT-2026-32968
Impact This vulnerability impacts users of zarf package inspect sbom or zarf package inspect documentation on untrusted packages. Patches 4793, now fixed in version v0.74.2 Workarounds Avoid inspecting unsigned packages Description The package inspect sbom and package inspect documentation...
CVE-2026-4660 vulnerabilities
Vulnerabilities for packages: task, xeol, trivy-operator, grype, steampipe, k9s, opentofu, zot, tfsec, zarf, kots, terraform, kubescape, tflint, wolfictl, syft, conftest, snyk-cli, terragrunt, trivy...
GHSA-92MM-2PJQ-R785 vulnerabilities
Vulnerabilities for packages: task, xeol, trivy-operator, grype, steampipe, k9s, opentofu, zot, tfsec, zarf, kots, terraform, kubescape, tflint, wolfictl, syft, conftest, snyk-cli, terragrunt, trivy...
CVE-2026-33762 vulnerabilities
Vulnerabilities for packages: flux-source-controller-fips, zot, argocd-image-updater, trivy-fips, skaffold, rancher-fleet, kaniko, apko, src-fingerprint, kargo, flux-image-automation-controller, kyverno-fips, pulumi-language-java, snyk-cli, trufflehog-fips, gomplate-fips, syft-fips, gitlab-runner...
GHSA-GM2X-2G9H-CCM8 vulnerabilities
Vulnerabilities for packages: flux-source-controller-fips, zot, argocd-image-updater, trivy-fips, skaffold, rancher-fleet, kaniko, apko, src-fingerprint, kargo, flux-image-automation-controller, kyverno-fips, pulumi-language-java, snyk-cli, trufflehog-fips, gomplate-fips, syft-fips, gitlab-runner...
CVE-2026-34165 vulnerabilities
Vulnerabilities for packages: flux-source-controller-fips, zot, argocd-image-updater, trivy-fips, skaffold, rancher-fleet, kaniko, apko, src-fingerprint, kargo, flux-image-automation-controller, kyverno-fips, pulumi-language-java, snyk-cli, trufflehog-fips, gomplate-fips, syft-fips, gitlab-runner...
CVE-2026-33762 vulnerabilities
Vulnerabilities for packages: apko, xeol, flux-image-automation-controller, trivy-operator, gitea, grafana-alloy, grype, argo-cd, melange, external-secrets-operator, src-fingerprint, kargo, argocd-image-updater, grafana, kaniko, kyverno, pulumi-kubernetes-operator, k9s, pulumi-language-java,...
GHSA-GM2X-2G9H-CCM8 vulnerabilities
Vulnerabilities for packages: apko, xeol, flux-image-automation-controller, trivy-operator, gitea, grafana-alloy, grype, argo-cd, melange, external-secrets-operator, src-fingerprint, kargo, argocd-image-updater, grafana, kaniko, kyverno, pulumi-kubernetes-operator, k9s, pulumi-language-java,...
CVE-2026-34165 vulnerabilities
Vulnerabilities for packages: apko, xeol, flux-image-automation-controller, trivy-operator, gitea, grafana-alloy, grype, argo-cd, melange, external-secrets-operator, src-fingerprint, kargo, argocd-image-updater, grafana, kaniko, kyverno, pulumi-kubernetes-operator, k9s, pulumi-language-java,...
GHSA-JHF3-XXHW-2WPP vulnerabilities
Vulnerabilities for packages: apko, xeol, flux-image-automation-controller, trivy-operator, gitea, grafana-alloy, grype, argo-cd, melange, external-secrets-operator, src-fingerprint, kargo, argocd-image-updater, grafana, kaniko, kyverno, pulumi-kubernetes-operator, k9s, pulumi-language-java,...
SUSE CVE-2026-29064
Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or...
GO-2026-4636 Zarf's symlink targets in archives are not validated against destination directory in github.com/zarf-dev/zarf
Zarf's symlink targets in archives are not validated against destination directory in github.com/zarf-dev/zarf...
CVE-2026-29064
Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or...
EUVD-2026-10044
Zarf's symlink targets in archives are not validated against destination directory...
GHSA-HCM4-6HPJ-VGHM Zarf's symlink targets in archives are not validated against destination directory
Summary A path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or write on the system processing the package. What users should do Upgrade immediately to version...
CVE-2026-29064
Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or...
CVE-2026-29064 Zarf: Symlink targets in archives are not validated against destination directory
Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or...
CVE-2026-29064 Zarf: Symlink targets in archives are not validated against destination directory
Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or...
CVE-2026-29064
Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or...