apk package

wolfi/argo-cd-2.14-compat

pkg:apk/wolfi/argo-cd-2.14-compat

Vulnerabilities (28)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-27142	Med	6.1	< 2.14.21-r10	2.14.21-r10	Mar 6, 2026	Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
CVE-2026-27139	Low	2.5	< 2.14.21-r10	2.14.21-r10	Mar 6, 2026	On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
CVE-2026-25679	Hig	7.5	< 2.14.21-r10	2.14.21-r10	Mar 6, 2026	url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVE-2026-1229		—	< 2.14.21-r9	2.14.21-r9	Feb 24, 2026	The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
CVE-2026-25934		—	< 2.14.21-r8	2.14.21-r8	Feb 9, 2026	go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files,
CVE-2025-68121	Cri	10.0	< 2.14.21-r7	2.14.21-r7	Feb 5, 2026	During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
CVE-2025-61732		—	< 2.14.21-r7	2.14.21-r7	Feb 5, 2026	A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
CVE-2025-61728		—	< 2.14.21-r5	2.14.21-r5	Jan 28, 2026	archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
CVE-2025-61726		—	< 2.14.21-r5	2.14.21-r5	Jan 28, 2026	The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
CVE-2025-61730		—	< 2.14.21-r5	2.14.21-r5	Jan 28, 2026	During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor i
CVE-2025-61731		—	< 2.14.21-r9	2.14.21-r9	Jan 28, 2026	Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can
CVE-2025-68119		—	< 2.14.21-r5	2.14.21-r5	Jan 28, 2026	Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are
CVE-2025-47914		—	< 2.14.21-r3	2.14.21-r3	Nov 19, 2025	SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
CVE-2025-58181		—	< 2.14.21-r3	2.14.21-r3	Nov 19, 2025	SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
CVE-2025-5187	Med	6.7	< 2.14.15-r4	2.14.15-r4	Aug 27, 2025	A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is su
CVE-2025-47907		—	< 2.14.15-r3	2.14.15-r3	Aug 7, 2025	Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
CVE-2025-8556	Low	3.7	< 2.14.14-r1	2.14.14-r1	Aug 6, 2025	A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
CVE-2025-47933		—	< 2.14.13-r0	2.14.13-r0	May 29, 2025	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacke
CVE-2025-22872	Med	6.5	< 2.14.10-r2	2.14.10-r2	Apr 16, 2025	The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-30204	Hig	7.5	< 2.14.7-r1	2.14.7-r1	Mar 21, 2025	golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou

CVE-2026-27142MedMar 6, 2026
affected < 2.14.21-r10fixed 2.14.21-r10
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
CVE-2026-27139LowMar 6, 2026
affected < 2.14.21-r10fixed 2.14.21-r10
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
CVE-2026-25679HigMar 6, 2026
affected < 2.14.21-r10fixed 2.14.21-r10
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVE-2026-1229Feb 24, 2026
affected < 2.14.21-r9fixed 2.14.21-r9
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
CVE-2026-25934Feb 9, 2026
affected < 2.14.21-r8fixed 2.14.21-r8
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files,
CVE-2025-68121CriFeb 5, 2026
affected < 2.14.21-r7fixed 2.14.21-r7
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
CVE-2025-61732Feb 5, 2026
affected < 2.14.21-r7fixed 2.14.21-r7
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
CVE-2025-61728Jan 28, 2026
affected < 2.14.21-r5fixed 2.14.21-r5
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
CVE-2025-61726Jan 28, 2026
affected < 2.14.21-r5fixed 2.14.21-r5
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
CVE-2025-61730Jan 28, 2026
affected < 2.14.21-r5fixed 2.14.21-r5
During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor i
CVE-2025-61731Jan 28, 2026
affected < 2.14.21-r9fixed 2.14.21-r9
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can
CVE-2025-68119Jan 28, 2026
affected < 2.14.21-r5fixed 2.14.21-r5
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are
CVE-2025-47914Nov 19, 2025
affected < 2.14.21-r3fixed 2.14.21-r3
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
CVE-2025-58181Nov 19, 2025
affected < 2.14.21-r3fixed 2.14.21-r3
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
CVE-2025-5187MedAug 27, 2025
affected < 2.14.15-r4fixed 2.14.15-r4
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is su
CVE-2025-47907Aug 7, 2025
affected < 2.14.15-r3fixed 2.14.15-r3
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
CVE-2025-8556LowAug 6, 2025
affected < 2.14.14-r1fixed 2.14.14-r1
A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
CVE-2025-47933May 29, 2025
affected < 2.14.13-r0fixed 2.14.13-r0
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacke
CVE-2025-22872MedApr 16, 2025
affected < 2.14.10-r2fixed 2.14.10-r2
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-30204HigMar 21, 2025
affected < 2.14.7-r1fixed 2.14.7-r1
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou

Page 1 of 2