pkg:Go/github.com/kyverno/kyverno

All known vulnerabilities

• CRITICAL9.9CVE-2026-22039Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
  from 0, < 1.15.3
• CRITICAL9.9CVE-2026-22039Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
  from 0, < 1.15.3, >= 1.16.0-rc.1, < 1.16.3
• HIGH8.5CVE-2026-4789CVE-2026-4789
  >= 1.16.0, < 1.17.0
• HIGH8.5CVE-2026-4789
  >= 1.16.0, <= 1.17.1
• HIGH8.5Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements
  from 0, < 1.13.5, >= 1.14.0-alpha.1, < 1.14.0
• HIGH8.5Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements
  from 0, < 1.13.5
• HIGH8.1Kyverno: ServiceAccount token leaked to external servers via apiCall service URL
  from 0, < 1.17.0
• HIGH8.1kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token
  from 0, < 1.17.0
• HIGH8.1Verification rule bypass in github.com/kyverno/kyverno
  >= 1.8.3, < 1.8.5
• HIGH8.1Verification rule bypass in github.com/kyverno/kyverno
  >= 1.8.3, < 1.8.5
• HIGH7.7Kyverno Controller Denial of Service via forEach Mutation Panic
  >= 1.13.0, < 1.16.4
• HIGH7.7Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)
  from 0, <= 1.17.1
• HIGH7.7Kyverno Denial of Service via Context Variable Amplification in Policy Engine
  from 0, < 1.15.3
• HIGH7.7Kyverno Denial of Service via Context Variable Amplification in Policy Engine
  from 0, < 1.15.3, >= 1.16.0-rc.1, < 1.16.3
• HIGH7.7Kyverno's Improper JMESPath Variable Evaluation Leads to Denial of Service
  from 0, < 1.14.2
• HIGH7.7Kyverno's Improper JMESPath Variable Evaluation Leads to Denial of Service
  from 0, < 1.14.2
• HIGH7.5Kyverno's PolicyException objects can be created in any namespace by default
  from 0, < 1.13.0
• HIGH7.5Kyverno's PolicyException objects can be created in any namespace by default
  from 0, < 1.13.0
• HIGH7.1Attacker can cause Kyverno user to unintentionally consume insecure image
  from 0, < 1.10.5
• HIGH7.1Attacker can cause Kyverno user to unintentionally consume insecure image
  from 0, < 1.10.5
• MEDIUM6.5Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno
  from 0, < 1.10.0
• MEDIUM6.5Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno
  from 0, < 1.10.0
• MEDIUM5.8Kyverno ignores subjectRegExp and IssuerRegExp
  >= 1.13.0, < 1.14.0-alpha.1
• MEDIUM5.8Kyverno ignores subjectRegExp and IssuerRegExp
  from 0, < 1.14.0-alpha.1
• MEDIUM4.6kyverno seccomp control can be circumvented in github.com/kyverno/kyverno
  >= 1.9.2, < 1.9.4
• MEDIUM4.6kyverno seccomp control can be circumvented in github.com/kyverno/kyverno
  >= 1.9.2, < 1.9.4
• —Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno
  >= 1.5.0-rc1.0.20230601080528-80d139bb5d1d, < 1.5.0-rc1.0.20230918070231-fec2992e3f9f
• —Denial of service from malicious manifest in kyverno in github.com/kyverno/kyverno
  >= 1.5.0-rc1.0.20230601080528-80d139bb5d1d, < 1.5.0-rc1.0.20230918070231-fec2992e3f9f
• —Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno
  >= 1.5.0-rc1.0.20230601080528-80d139bb5d1d, < 1.5.0-rc1.0.20230918070231-fec2992e3f9f
• —Denial of service from malicious signature in kyverno in github.com/kyverno/kyverno
  >= 1.5.0-rc1.0.20230601080528-80d139bb5d1d, < 1.5.0-rc1.0.20230918070231-fec2992e3f9f