Ingress Nginx
Sign in to watchby Kubernetes
Source repositories
CVEs (6)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-3288 | Hig | 0.57 | 8.8 | 0.00 | Mar 9, 2026 | A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | |
| CVE-2026-4342 | Hig | 0.50 | 8.8 | 0.00 | Mar 19, 2026 | A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | |
| CVE-2023-5044 | 0.01 | — | 0.10 | Oct 25, 2023 | Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation. | ||
| CVE-2023-5043 | 0.00 | — | 0.04 | Oct 25, 2023 | Ingress nginx annotation injection causes arbitrary command execution. | ||
| CVE-2022-4886 | 0.00 | — | 0.00 | Oct 25, 2023 | Ingress-nginx `path` sanitization can be bypassed with `log_format` directive. | ||
| CVE-2020-8553 | 0.00 | — | 0.01 | Jul 29, 2020 | The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace or secret name. |