CVE-2026-32737 — Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another na

Description

Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace in github.com/ctfer-io/romeo/environment/deploy. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/ctfer-io/romeo/environment/deploy before v0.2.1.

How to fix CVE-2026-32737

To remediate CVE-2026-32737, upgrade the affected package to a fixed version below.

—upgrade to 0.2.1 or later
—no fix listed

Is CVE-2026-32737 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.2.1
from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-32737
PATCHgithub.com/ctfer-io/romeo
WEBgithub.com/ctfer-io/romeo/commit/3bb5e9d9ce1199dfbb90fef8ad79ebdeb0bc5e78
WEBgithub.com/ctfer-io/romeo/security/advisories/GHSA-fgm3-q9r5-43v9