VYPR

apk package

chainguard/argo-workflow-controller-fips-4.0

pkg:apk/chainguard/argo-workflow-controller-fips-4.0

Vulnerabilities (29)

  • CVE-2026-33186CriMar 20, 2026
    affected < 4.0.3-r1fixed 4.0.3-r1

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2025-15558Mar 4, 2026
    affected < 4.0.1-r5fixed 4.0.1-r5

    Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are

  • CVE-2026-26958LowFeb 19, 2026
    affected < 4.0.1-r1fixed 4.0.1-r1

    filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Poin

  • CVE-2026-24051HigFeb 2, 2026
    affected < 4.0.1-r3fixed 4.0.1-r3

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman

  • CVE-2026-23960Jan 21, 2026
    affected < 4.0.2-r0fixed 4.0.2-r0

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser u

  • CVE-2025-66626Dec 9, 2025
    affected < 4.0.2-r0fixed 4.0.2-r0

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's

  • CVE-2025-62157Oct 14, 2025
    affected < 4.0.2-r0fixed 4.0.2-r0

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attack

  • CVE-2025-62156Oct 14, 2025
    affected < 4.0.2-r0fixed 4.0.2-r0

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 contain a Zip Slip path traversal vulnerability in artifact extraction. During artifact extraction the unpack

  • CVE-2022-29164May 5, 2022
    affected < 4.0.2-r0fixed 4.0.2-r0

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. In affected versions an attacker can create a workflow which produces a HTML artifact containing an HTML file that contains a script which uses XHR calls to interact w

Page 2 of 2