VYPR

Go modules package

github.com/external-secrets/external-secrets

pkg:golang/github.com/external-secrets/external-secrets

Vulnerabilities (5)

  • CVE-2026-42875MedMay 11, 2026
    affected < 2.4.0fixed 2.4.0

    External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caPro

  • CVE-2026-34984MedApr 14, 2026
    affected < 1.3.3-0.20260331202714-6800989bdc12fixed 1.3.3-0.20260331202714-6800989bdc12

    External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Versions 2.2.0 and below contain a vulnerability in runtime/template/v2/template.go where the v2 template engine removes env and expandenv from Sprig

  • CVE-2026-22822Jan 21, 2026
    affected >= 0.20.2, < 1.2.0fixed 1.2.0

    External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Managem

  • CVE-2025-55196HigAug 13, 2025
    affected >= 0.15.0, < 0.19.2fixed 0.19.2

    External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controlle

  • CVE-2024-45041Sep 9, 2024
    affected < 0.10.2fixed 0.10.2

    External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secr