pkg:Go/github.com/argoproj/argo-workflows/v3

All known vulnerabilities

• HIGH8.1CVE-2026-42296Argo Workflows has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure
  from 0, < 3.7.14
• HIGH8.1CVE-2025-66626argoproj/argo-workflows is vulnerable to RCE via ZipSlip and symbolic links
  >= 3.7.0, < 3.7.5
• HIGH8.1CVE-2025-66626argoproj/argo-workflows is vulnerable to RCE via ZipSlip and symbolic links
  from 0, < 3.6.14, >= 3.7.0, < 3.7.5
• HIGH8.1argo-workflows Zip Slip path traversal allows arbitrary file write and container configuration overwrite
  from 0, < 3.6.12
• HIGH8.1argo-workflows Zip Slip path traversal allows arbitrary file write and container configuration overwrite
  from 0, < 3.6.12, >= 3.7.0, < 3.7.3
• HIGH7.7Argo Workflows: Unchecked annotation parsing in pod informer crashes Argo Workflows controller
  >= 3.7.0, < 3.7.14
• HIGH7.5Argo Workflows has unauthorized access to Argo Workflows Template
  >= 3.7.0, < 3.7.11
• HIGH7.5Argo Workflows has unauthorized access to Argo Workflows Template
  from 0, < 3.7.11
• HIGH7.1Privilege Escalation in argo-workflows
  >= 2.6.0, < 3.2.11
• MEDIUM6.5Workflow re-write vulnerability using input parameter in github.com/argoproj/argo-workflows
  >= 3.1.0, < 3.1.6
• MEDIUM6.5Workflow re-write vulnerability using input parameter in github.com/argoproj/argo-workflows
  >= 3.1.0, < 3.1.6
• MEDIUM5.7Argo Workflows Controller: Denial of Service via malicious daemon Workflows in github.com/argoproj/argo-workflows
  >= 3.6.0-rc1, < 3.6.0-rc2
• MEDIUM5.7Argo Workflows Controller: Denial of Service via malicious daemon Workflows in github.com/argoproj/argo-workflows
  >= 3.6.0-rc1, < 3.6.0-rc2
• —Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor
  from 0, < 3.7.14
• —WorkflowTemplate Security Bypass via podSpecPatch in Strict/Secure Reference Mode
  from 0, < 3.7.11
• —WorkflowTemplate Security Bypass via podSpecPatch in Strict/Secure Reference Mode
  from 0, < 3.7.11
• —Argo Workflows affected by stored XSS in the artifact directory listing
  from 0, < 3.6.17, >= 3.7.0, < 3.7.8
• —Argo Workflows affected by stored XSS in the artifact directory listing
  from 0, < 3.6.17
• —Argo Workflows exposes artifact repository credentials in workflow-controller logs
  from 0, < 3.6.12, >= 3.7.0, < 3.7.3
• —Argo Workflows exposes artifact repository credentials in workflow-controller logs
  >= 3.7.0, < 3.7.3
• —Argo Workflows Allows Access to Archived Workflows with Fake Token in `client` mode
  >= 3.5.7, < 3.5.13, >= 3.6.0-rc1, < 3.6.2
• —Argo Workflows Allows Access to Archived Workflows with Fake Token in `client` mode
  >= 3.5.7, < 3.5.13