VYPR
Vendor

Kyverno

Products
1
CVEs
20
Across products
20
Status
Private

Products

1

Recent CVEs

20
  • CVE-2026-4789CriMar 30, 2026
    risk 0.57cvss 9.8epss 0.01

    Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.

  • CVE-2026-41323HigApr 24, 2026
    risk 0.46cvss 8.1epss 0.01

    Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The…

  • CVE-2026-40868HigApr 21, 2026
    risk 0.46cvss 8.1epss 0.00

    Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an…

  • CVE-2026-41485HigApr 24, 2026
    risk 0.43cvss 7.7epss 0.00

    Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide…

  • CVE-2026-41068HigApr 24, 2026
    risk 0.43cvss 7.7epss 0.00

    Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical…

  • CVE-2026-44245MedMay 12, 2026
    risk 0.33cvss 6.1epss 0.00

    Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that {{ }} interpolation provides. The…

  • CVE-2026-23881Jan 27, 2026
    risk 0.00cvss epss 0.01

    Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies…

  • CVE-2026-22039Jan 27, 2026
    risk 0.00cvss epss 0.01

    Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller…

  • CVE-2025-47281Jul 23, 2025
    risk 0.00cvss epss 0.00

    Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno…

  • CVE-2025-46342Apr 30, 2025
    risk 0.00cvss epss 0.01

    Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due…

  • CVE-2025-29778Mar 24, 2025
    risk 0.00cvss epss 0.00

    Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the…

  • CVE-2024-48921Oct 29, 2024
    risk 0.00cvss epss 0.01

    Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace. Administrators may not…

  • CVE-2023-47630Nov 14, 2023
    risk 0.00cvss epss 0.00

    Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno users fetch their images from. The…

  • CVE-2023-42813Nov 13, 2023
    risk 0.00cvss epss 0.01

    Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno…

  • CVE-2023-42814Nov 13, 2023
    risk 0.00cvss epss 0.01

    Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno…

  • CVE-2023-42815Nov 13, 2023
    risk 0.00cvss epss 0.01

    Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno…

  • CVE-2023-42816Nov 13, 2023
    risk 0.00cvss epss 0.00

    Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno…

  • CVE-2023-34091Jun 1, 2023
    risk 0.00cvss epss 0.01

    Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to…

  • CVE-2023-33191May 30, 2023
    risk 0.00cvss epss 0.00

    Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. This issue was patched in version 1.9.4.

  • CVE-2022-47633Dec 23, 2022
    risk 0.00cvss epss 0.01

    An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a protected Kubernetes cluster. This is fixed in 1.8.5. This has been fixed in…