VYPR

Go modules package

github.com/akuity/kargo

pkg:golang/github.com/akuity/kargo

Vulnerabilities (4)

  • CVE-2026-32828MedMar 20, 2026
    affected >= 1.4.0, < 1.6.4fixed 1.6.4

    Kargo manages and automates the promotion of software artifacts. In versions 1.4.0 through 1.6.3, 1.7.0-rc.1 through 1.7.8, 1.8.0-rc.1 through 1.8.11, and 1.9.0-rc.1 through 1.9.4, the http and http-download promotion steps allow Server-Side Request Forgery (SSRF) against link-lo

  • CVE-2026-27112Feb 20, 2026
    affected >= 1.9.0-rc.1, < 1.9.3fixed 1.9.3

    Kargo manages and automates the promotion of software artifacts. From 1.7.0 to before v1.7.8, v1.8.11, and v1.9.3, the batch resource creation endpoints of both Kargo's legacy gRPC API and newer REST API accept multi-document YAML payloads. Specially crafted payloads can manifest

  • CVE-2026-27111Feb 20, 2026
    affected >= 1.9.0, < 1.9.3fixed 1.9.3

    Kargo manages and automates the promotion of software artifacts. From v1.9.0 to v1.9.2, Kargo's authorization model includes a promote verb -- a non-standard Kubernetes "dolphin verb" -- that gates the ability to advance Freight through a promotion pipeline. This verb exists to s

  • CVE-2026-24748Jan 27, 2026
    affected < 1.6.3fixed 1.6.3

    Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` he