7.3
CVE-2026-23960
- EPSS 0.34%
- Veröffentlicht 21.01.2026 22:15:50
- Zuletzt bearbeitet 30.06.2026 03:17:35
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Argo Workflows affected by stored XSS in the artifact directory listing
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Argoproj ≫ Argo Workflows SwPlatformgo Version < 3.6.17
Argoproj ≫ Argo Workflows SwPlatformgo Version >= 3.7.0 < 3.7.8
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.34% | 0.255 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| security-advisories@github.com | 7.3 | 0 | 0 |
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.1 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244
https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17
https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17
https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82
https://access.redhat.com/security/cve/CVE-2026-23960
https://bugzilla.redhat.com/show_bug.cgi?id=2431881
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23960.json