CVE-2026-23960
HIGH SEVERITYVulnerability Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-79
Source
GitHub
Vendor
go
Product
github.com/argoproj/argo-workflows/v3
External References
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82
- https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17
- https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244
- https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17
- https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8
- https://nvd.nist.gov/vuln/detail/CVE-2026-23960
- https://github.com/advisories/GHSA-cv78-6m8q-ph82
Discussion (0)
Add Comment
No comments yet. Be the first!