VYPR

Kestra

by Kestra

Source repositories

CVEs (6)

  • CVE-2026-38428CriMay 5, 2026
    risk 0.57cvss 9.8epss 0.00

    Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL…

  • CVE-2026-34612CriApr 3, 2026
    risk 0.57cvss 9.9epss 0.01

    Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a…

  • CVE-2025-53543MedJul 7, 2025
    risk 0.20cvss 4.2epss 0.00

    Kestra is an event-driven orchestration platform. The error message in execution "Overview" tab is vulnerable to stored XSS due to improper handling of HTTP response received. This vulnerability is fixed in 0.22.0.

  • CVE-2026-48129Jun 19, 2026
    risk 0.00cvss epss 0.00

    Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an…

  • CVE-2026-33664Mar 26, 2026
    risk 0.00cvss epss 0.00

    Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields — description, inputs[].displayName, inputs[].description — through the Markdown.vue component instantiated with html: true. The…

  • CVE-2026-29082Mar 6, 2026
    risk 0.00cvss epss 0.00

    Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html without sanitisation. At time…