CVE-2026-49984
- EPSS -
- Veröffentlicht 26.06.2026 20:55:44
- Zuletzt bearbeitet 26.06.2026 22:16:32
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows-style backslashes to forward slashes. An attacker ...
CVE-2026-38428
- EPSS 0.37%
- Veröffentlicht 05.05.2026 00:00:00
- Zuletzt bearbeitet 08.05.2026 19:24:29
Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers ca...
- EPSS 0.66%
- Veröffentlicht 03.04.2026 22:39:31
- Zuletzt bearbeitet 13.04.2026 17:36:59
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/...
CVE-2026-33664
- EPSS 0.26%
- Veröffentlicht 26.03.2026 21:13:12
- Zuletzt bearbeitet 31.03.2026 01:48:34
Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields — description, inputs[].displayName, inputs[].description — through the Markdown.vue component instantiate...
CVE-2026-29082
- EPSS 0.23%
- Veröffentlicht 06.03.2026 16:33:31
- Zuletzt bearbeitet 10.03.2026 21:00:33
Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html with...