Github.Com Argoproj Argo-Cd V2 vulnerabilities
46 known vulnerabilities affecting github.com/argoproj_argo-cd_v2.
Total CVEs
46
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL8HIGH13MEDIUM16UNKNOWN9
Vulnerabilities
Page 3 of 3
CVE-2022-24904P4MEDIUM≥ 0, < 2.1.15≥ 2.2.0, < 2.2.9+1 more2022-05-23
CVE-2022-24904 [MEDIUM] CWE-59 Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server
Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server
### Impact
All unpatched versions of Argo CD starting with v0.7.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server.
A malicious Argo CD user with write access for a repository
ghsaosv
CVE-2023-40026P4MEDIUM≥ 0, < 2.3.02023-09-27
CVE-2023-40026 [MEDIUM] CWE-22 Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server
Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server
### Impact
In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible b
ghsaosv
CVE-2022-24905P4MEDIUM≥ 2.3.0, < 2.3.4≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2022-24905 [MEDIUM] CWE-20 Login screen allows message spoofing if SSO is enabled
Login screen allows message spoofing if SSO is enabled
### Impact
A vulnerability was found in Argo CD that allows an attacker to spoof error messages on the login screen when SSO is enabled.
In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed.
As far as the research of the Argo CD team concluded, it i
ghsaosv
CVE-2024-36106P4UNKNOWN≥ 0, < 2.9.17≥ 2.10.0, < 2.10.12+1 more2024-06-28
CVE-2024-36106 Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd
Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd
Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd
osv
CVE-2021-23347P4MEDIUM≥ 0, < 1.7.13≥ 1.8.0, < 1.8.62021-05-21
CVE-2021-23347 [MEDIUM] CWE-79 Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd/v2
Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd/v2
### Impact
When using SSO with the Argo CD CLI, a malicious SSO provider could have sent specially crafted error message that would result in XSS on the client by means of executing arbitrary JavaScript code.
We believe the exploitation of this vulnerability is only be possible when Argo CD is connected to a compro
ghsaosv
CVE-2026-45738HIGH≥ 0, ≤ 2.14.212026-05-19
CVE-2026-45738 [HIGH] CWE-79 Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation
Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation
### Summary
A user with **application write access (developer role)** can set `link.argocd.argoproj.io/*` annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's **URLs section** as `` elements without URL validation. Using the
ghsa
← Previous3 / 3