CRITICAL9.9CVE-2026-22039Kyverno Cross-Namespace Privilege Escalation via Policy apiCall from 0, < 1.15.3, >= 1.16.0, < 1.16.3
>= 1.16.0, < 1.17.2
HIGH8.5CVE-2025-46342Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements from 0, < 1.13.5
HIGH8.1Kyverno: ServiceAccount token leaked to external servers via apiCall service URL
from 0, < 1.16.4, >= 1.17.0, < 1.17.2
HIGH8.1kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token
from 0, < 1.16.4
HIGH8.1Verification rule bypass in github.com/kyverno/kyverno
>= 1.8.3, <= 1.8.3, >= 1.8.4, <= 1.8.4
HIGH7.7Kyverno Controller Denial of Service via forEach Mutation Panic
from 0, < 1.16.4, >= 1.17.0, < 1.17.2
HIGH7.7Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)
from 0, < 1.17.2
HIGH7.7Kyverno Denial of Service via Context Variable Amplification in Policy Engine
from 0, < 1.15.3, >= 1.16.0, < 1.16.3
HIGH7.7Kyverno's Improper JMESPath Variable Evaluation Leads to Denial of Service
from 0, < 1.14.2
HIGH7.5Kyverno's PolicyException objects can be created in any namespace by default
from 0, < 1.13.0
HIGH7.1Attacker can cause Kyverno user to unintentionally consume insecure image
from 0, < 1.10.5
MEDIUM6.1Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component
from 0, < 2.5.2
MEDIUM5.8Kyverno ignores subjectRegExp and IssuerRegExp
from 0, < 1.14.0