CVE-2026-23960

HIGH EPSS 15.6%
Published Jan 21, 20265mo ago · Modified Jun 17, 20261w ago
7.3 CVSS 4.0
High
Find Similar
Published Jan 21, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.

CVSS Details

Base Score
7.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
15.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 2

VendorProductVersionRange
argoprojargo_workflows* <3.6.17
argoprojargo_workflows*≥3.7.0  –  <3.7.8

References 5

  • github.com https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244
    Product
  • github.com https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17
    Patch
  • github.com https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17
    ProductRelease Notes
  • github.com https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8
    ProductRelease Notes
  • github.com https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17
    Patch