Rhoai Odh-Ml-Pipelines-Api-Server-V2-Rhel8 vulnerabilities

CVE-2026-8261 [LOW] CWE-120 squirrel: Squirrel: Heap-based buffer overflow allows local denial of service squirrel: Squirrel: Heap-based buffer overflow allows local denial of service A flaw was found in Squirrel. A local attacker could exploit a heap-based buffer overflow vulnerability, which occurs when a program writes more data to a memory buffer than it can hold. This flaw, specifically affecting the SQFunctionProto::Load function within squirrel/sqobject.cpp, could lead to a denial of ser

CVE-2026-42295 [HIGH] CWE-256 github.com/argoproj/argo-workflows: Argo Workflows: Information disclosure via plaintext logging of artifact repository credentials github.com/argoproj/argo-workflows: Argo Workflows: Information disclosure via plaintext logging of artifact repository credentials A flaw was found in Argo Workflows, an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. The workflow executor logs all artifact repository credentials, such as S3

CVE-2026-42183 [LOW] CWE-476 github.com/argoproj/argo-workflows: Argo Workflows: Denial of Service via nil pointer dereference for SSO users github.com/argoproj/argo-workflows: Argo Workflows: Denial of Service via nil pointer dereference for SSO users A flaw was found in Argo Workflows. This flaw, a nil pointer dereference in the `rbacAuthorization()` function, affects Single Sign-On (SSO) users. When `SSO_DELEGATE_RBAC_TO_NAMESPACE` is enabled, an authenticated SSO user whose claims match a n

CVE-2026-41889 [LOW] CWE-89 github.com/jackc/pgx: golang: pgx: SQL injection via specific SQL query conditions github.com/jackc/pgx: golang: pgx: SQL injection via specific SQL query conditions A flaw was found in pgx, a PostgreSQL driver and toolkit for Go. This SQL injection vulnerability can occur when using the non-default simple protocol, a dollar-quoted string literal in the SQL query, and when that string literal contains text interpreted as a placeholder with an attacker-controlled valu

CVE-2026-40886 [HIGH] CWE-1285 github.com/argoproj/argo-workflows: Argo Workflows: Denial of Service via malformed workflow pod annotation github.com/argoproj/argo-workflows: Argo Workflows: Denial of Service via malformed workflow pod annotation A flaw was found in Argo Workflows, an open-source system for managing tasks in Kubernetes. An attacker with appropriate permissions can trigger a system-wide crash by submitting a specially crafted workflow pod with a malformed annotation. This vulner

CVE-2026-40938 [HIGH] CWE-88 github.com/tektoncd/pipeline: Tekton Pipelines: Arbitrary code execution and secret exfiltration via malicious git commands github.com/tektoncd/pipeline: Tekton Pipelines: Arbitrary code execution and secret exfiltration via malicious git commands A flaw was found in Tekton Pipelines, a system for declaring continuous integration/continuous delivery (CI/CD) pipelines. An authenticated user, able to submit `ResolutionRequest` objects, can exploit a vulnerability by i

CVE-2026-40161 [HIGH] CWE-918 github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure of Git API token via user-controlled serverURL github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure of Git API token via user-controlled serverURL A flaw was found in Tekton Pipelines. A tenant with permissions to create TaskRun or PipelineRun resources can exploit this vulnerability. By omitting the Git API token parameter and pointing the serverURL to an attacker-controlled e

CVE-2026-40923 [MEDIUM] CWE-179 github.com/tektoncd/pipeline: Tekton Pipelines: Unauthorized access and information disclosure via path validation bypass github.com/tektoncd/pipeline: Tekton Pipelines: Unauthorized access and information disclosure via path validation bypass A flaw was found in Tekton Pipelines. An attacker can bypass restrictions on where volumes can be mounted by using specially crafted paths that include directory traversal sequences (e.g., `..`). This vulnerability, stemmin

CVE-2026-40924 [MEDIUM] CWE-770 github.com/tektoncd/pipeline: Tekton Pipelines: Denial of Service via large HTTP response body github.com/tektoncd/pipeline: Tekton Pipelines: Denial of Service via large HTTP response body A flaw was found in Tekton Pipelines. A local user with specific permissions to create TaskRuns or PipelineRuns can exploit this by directing the HTTP resolver to an attacker-controlled server. This server can return a very large response body, leading to the tekton-pipelines-

CVE-2026-25542 [MEDIUM] CWE-625 github.com/tektoncd/pipeline: Tekton Pipelines: Security bypass due to regular expression matching flaw github.com/tektoncd/pipeline: Tekton Pipelines: Security bypass due to regular expression matching flaw A flaw was found in Tekton Pipelines. An attacker can bypass trusted resource verification policies by crafting a malicious source string that contains a trusted pattern as a substring. This is due to the `regexp.MatchString` function in Go matching patterns