VYPR

Kargo

by Akuity

Source repositories

CVEs (5)

  • CVE-2026-42350MedMay 8, 2026
    risk 0.26cvss epss 0.00

    Kargo manages and automates the promotion of software artifacts. Prior to versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2, Kargo is vulnerable to open redirect in UI OIDC login flow via the redirectTo query parameter. This issue has been patched in versions 1.7.10, 1.8.13, 1.9.8, and…

  • CVE-2026-32828MedMar 20, 2026
    risk 0.25cvss 4.9epss 0.00

    Kargo manages and automates the promotion of software artifacts. In versions 1.4.0 through 1.6.3, 1.7.0-rc.1 through 1.7.8, 1.8.0-rc.1 through 1.8.11, and 1.9.0-rc.1 through 1.9.4, the http and http-download promotion steps allow Server-Side Request Forgery (SSRF) against…

  • CVE-2026-27112Feb 20, 2026
    risk 0.00cvss epss 0.00

    Kargo manages and automates the promotion of software artifacts. From 1.7.0 to before v1.7.8, v1.8.11, and v1.9.3, the batch resource creation endpoints of both Kargo's legacy gRPC API and newer REST API accept multi-document YAML payloads. Specially crafted payloads can…

  • CVE-2026-27111Feb 20, 2026
    risk 0.00cvss epss 0.00

    Kargo manages and automates the promotion of software artifacts. From v1.9.0 to v1.9.2, Kargo's authorization model includes a promote verb -- a non-standard Kubernetes "dolphin verb" -- that gates the ability to advance Freight through a promotion pipeline. This verb exists to…

  • CVE-2026-24748Jan 27, 2026
    risk 0.00cvss epss 0.00

    Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization`…

VYPR — Vulnerability Intelligence