CVE-2026-23960
EPSS 0.06%Argo Workflows affected by stored XSS in the artifact directory listing in github.com/argoproj/argo-workflows
Published: 1/21/2026Modified: 2/4/2026
Description
Argo Workflows affected by stored XSS in the artifact directory listing in github.com/argoproj/argo-workflows
Affected packages (6)
- Bitnami/argo-workflowsfrom 0, < 3.6.17, >= 3.7.0, < 3.7.8
- Go/github.com/argoproj/argo-workflowsfrom 0, <= 2.5.3-rc4
- Go/github.com/argoproj/argo-workflowsfrom 0
- Go/github.com/argoproj/argo-workflows/v2from 0
- Go/github.com/argoproj/argo-workflows/v3from 0, < 3.6.17
- Go/github.com/argoproj/argo-workflows/v3from 0, < 3.6.17, >= 3.7.0, < 3.7.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-23960
- PATCHhttps://github.com/argoproj/argo-workflows
- WEBhttps://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244
- WEBhttps://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17
- WEBhttps://github.com/argoproj/argo-workflows/releases/tag/v3.6.17
- WEBhttps://github.com/argoproj/argo-workflows/releases/tag/v3.7.8
- WEBhttps://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82