pkg:Go/github.com/argoproj/argo-cd/v2

All known vulnerabilities

• CRITICAL10.0CVE-2022-29165Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd
  from 0, < 2.1.15, >= 2.2.0, < 2.2.9, >= 2.3.0, < 2.3.4
• CRITICAL10.0CVE-2022-29165Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd
  >= 2.3.0, < 2.3.4
• CRITICAL9.9CVE-2025-55190Argo CD: Project API Token Exposes Repository Credentials
  >= 2.13.0, < 2.13.9, >= 2.14.0, < 2.14.16
• CRITICAL9.9CVE-2025-55190Argo CD: Project API Token Exposes Repository Credentials
  >= 2.13.0, < 2.13.9
• CRITICAL9.9CVE-2023-40029Argo CD cluster secret might leak in cluster details page in github.com/argoproj/argo-cd
  >= 2.2.0, < 2.6.15
• CRITICAL9.9CVE-2023-40029Argo CD cluster secret might leak in cluster details page in github.com/argoproj/argo-cd
  >= 2.2.0, < 2.6.15, >= 2.7.0, < 2.7.14, >= 2.8.0, < 2.8.3
• CRITICAL9.9CVE-2022-24768Improper access control allows admin privilege escalation in Argo CD
  from 0, < 2.1.14, >= 2.2.0, < 2.2.8, >= 2.3.0, < 2.3.2
• CRITICAL9.1CVE-2023-23947Users with any cluster secret update access may update out-of-bounds cluster secrets in github.com/argoproj/argo-cd
  >= 2.3.0, < 2.3.17, >= 2.4.0, < 2.4.23, >= 2.5.0, < 2.5.11, >= 2.6.0, < 2.6.2
• CRITICAL9.0CVE-2025-47933Argo CD allows cross-site scripting on repositories page
  >= 2.0.0-rc3, < 2.13.8
• CRITICAL9.0CVE-2025-47933Argo CD allows cross-site scripting on repositories page
  >= 2.0.0-rc3, < 2.13.8, >= 2.14.0-rc1, < 2.14.13
• CRITICAL9.0CVE-2024-31989ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache
  from 0, < 2.8.19, >= 2.9.0-rc1, < 2.9.15, >= 2.10.0-rc1, < 2.10.10, >= 2.11.0-rc1, < 2.11.1
• CRITICAL9.0CVE-2024-31989ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache
  from 0, < 2.8.19
• CRITICAL9.0CVE-2024-28175Cross-site scripting on application summary component in github.com/argoproj/argo-cd/v2
  >= 2.9.0, < 2.9.8
• CRITICAL9.0CVE-2024-28175Cross-site scripting on application summary component in github.com/argoproj/argo-cd/v2
  >= 2.0.0, < 2.8.12, >= 2.9.0, < 2.9.8, >= 2.10.0, < 2.10.3
• CRITICAL9.0CVE-2023-22482JWT audience claim is not verified in github.com/argoproj/argo-cd
  from 0, < 2.3.14, >= 2.4.0, < 2.4.20, >= 2.5.0, < 2.5.8, >= 2.6.0-rc1, < 2.6.0-rc5
• CRITICAL9.0CVE-2022-31035Argo CD's external URLs for Deployments can include JavaScript in github.com/argoproj/argo-cd
  from 0, < 2.1.16
• CRITICAL9.0CVE-2022-31035Argo CD's external URLs for Deployments can include JavaScript in github.com/argoproj/argo-cd
  from 0, < 2.1.16, >= 2.2.0, < 2.2.10, >= 2.3.0, < 2.3.5, >= 2.4.0, < 2.4.1
• HIGH8.8CVE-2022-1025Argo CD improper access control bug can allow malicious user to escalate privileges to admin level in github.com/argoproj/argo-cd
  from 0, < 2.1.14, >= 2.2.0, < 2.2.8, >= 2.3.0, < 2.3.2
• HIGH8.8CVE-2022-1025Argo CD improper access control bug can allow malicious user to escalate privileges to admin level in github.com/argoproj/argo-cd
  from 0, < 2.1.14
• HIGH8.5CVE-2023-22736Controller reconciles apps outside configured namespaces when sharding is enabled in github.com/argoproj/argo-cd
  >= 2.5.0-rc1, < 2.5.8, >= 2.6.0-rc4, < 2.6.0-rc5
• HIGH8.5CVE-2023-22736Controller reconciles apps outside configured namespaces when sharding is enabled in github.com/argoproj/argo-cd
  >= 2.5.0-rc1, < 2.5.8
• HIGH8.3CVE-2024-22424github.com/argoproj/argo-cd Cross-Site Request Forgery vulnerability
  from 0, < 2.7.16
• HIGH8.3CVE-2022-31105Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd
  from 0, < 2.2.11, >= 2.3.0, < 2.3.6, >= 2.4.0, < 2.4.5
• HIGH8.3CVE-2022-31034Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params in github.com/argoproj/argo-cd
  from 0, < 2.1.16, >= 2.2.0, < 2.2.10, >= 2.3.0, < 2.3.5, >= 2.4.0, < 2.4.1
• HIGH8.3CVE-2022-31034Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params in github.com/argoproj/argo-cd
  from 0, < 2.1.16
• HIGH7.7CVE-2022-24730Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
  from 0, < 2.1.11, >= 2.2.0, < 2.2.6, >= 2.3.0-rc1, < 2.3.0
• HIGH7.7CVE-2022-24348Path traversal and dereference of symlinks in Argo CD
  from 0, < 2.1.9
• HIGH7.7CVE-2022-24348Path traversal and dereference of symlinks in Argo CD
  from 0, < 2.1.9, >= 2.2.0, < 2.2.4
• HIGH7.5CVE-2025-59538Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook
  >= 2.9.0-rc1, < 2.14.20
• HIGH7.5CVE-2025-59538Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook
  >= 2.9.0-rc1, < 2.14.20
• HIGH7.5CVE-2025-59537argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload in github.com/argoproj/argo-cd
  >= 2.0.0-rc1, < 2.14.20
• HIGH7.5CVE-2025-59537argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload in github.com/argoproj/argo-cd
  from 0, < 2.14.20
• HIGH7.5CVE-2025-59531Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload in github.com/argoproj/argo-cd
  >= 2.0.0-rc1, < 2.14.20
• HIGH7.5CVE-2025-59531Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload in github.com/argoproj/argo-cd
  from 0, < 2.14.20
• HIGH7.5CVE-2024-40634Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd
  from 0, < 2.9.20
• HIGH7.5CVE-2024-40634Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd
  from 0, < 2.9.20, >= 2.10.0, < 2.10.15, >= 2.11.0, < 2.11.6
• HIGH7.5CVE-2024-21661Argo CD Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
  from 0, < 2.8.13, >= 2.9.0, < 2.9.9, >= 2.10.0, < 2.10.4
• HIGH7.5CVE-2024-21661Argo CD Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
  from 0, < 2.8.13
• HIGH7.3CVE-2026-45738Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation
  from 0, <= 2.14.21
• HIGH7.1CVE-2023-40025Argo CD web terminal session doesn't expire in github.com/argoproj/argo-cd
  >= 2.6.0, < 2.6.14, >= 2.7.0, < 2.7.12, >= 2.8.0, < 2.8.1
• HIGH7.1CVE-2023-40025Argo CD web terminal session doesn't expire in github.com/argoproj/argo-cd
  >= 2.6.0, < 2.6.14
• MEDIUM6.8CVE-2025-23216Argo CD does not scrub secret values from patch errors in github.com/argoproj/argo-cd
  >= 2.13.0, < 2.13.4
• MEDIUM6.8CVE-2025-23216Argo CD does not scrub secret values from patch errors in github.com/argoproj/argo-cd
  from 0, < 2.11.13, >= 2.12.0, < 2.12.10, >= 2.13.0, < 2.13.4
• MEDIUM6.8CVE-2022-24731Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
  from 0, < 2.1.11, >= 2.2.0, < 2.2.6, >= 2.3.0-rc1, < 2.3.0
• MEDIUM6.5CVE-2025-55191Repository Credentials Race Condition Crashes Argo CD Server
  >= 2.1.0, < 2.14.20
• MEDIUM6.5CVE-2025-55191Repository Credentials Race Condition Crashes Argo CD Server
  >= 2.1.0, < 2.14.20
• MEDIUM6.5CVE-2024-32476Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences
  >= 2.10.0, < 2.10.8
• MEDIUM6.5CVE-2024-32476Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences
  from 0, < 2.8.17, >= 2.9.0, < 2.9.13, >= 2.10.0, < 2.10.8
• MEDIUM6.5CVE-2024-29893Out of memory crash from malicious Helm registry in github.com/argoproj/argo-cd/v2
  >= 2.4.0, < 2.8.14, >= 2.9.0, < 2.9.10, >= 2.10.0, < 2.10.5
• MEDIUM6.5CVE-2024-29893Out of memory crash from malicious Helm registry in github.com/argoproj/argo-cd/v2
  >= 2.4.0, < 2.8.14
• MEDIUM6.5CVE-2023-40584Argo CD repo-server Denial of Service vulnerability in github.com/argoproj/argo-cd
  >= 2.4.0, < 2.6.15
• MEDIUM6.5CVE-2023-40584Argo CD repo-server Denial of Service vulnerability in github.com/argoproj/argo-cd
  >= 2.4.0, < 2.6.15, >= 2.7.0, < 2.7.14, >= 2.8.0, < 2.8.3
• MEDIUM6.5CVE-2022-31016DoS through large manifest files in Argo CD in github.com/argoproj/argo-cd
  from 0, < 2.1.16
• MEDIUM6.5CVE-2022-31016DoS through large manifest files in Argo CD in github.com/argoproj/argo-cd
  from 0, < 2.1.16, >= 2.2.0, < 2.2.10, >= 2.3.0, < 2.3.5, >= 2.4.0, < 2.4.1
• MEDIUM6.4CVE-2023-50726Users with `create` but not `override` privileges can perform local sync in argo-cd
  >= 2.0.0, < 2.8.12, >= 2.9.0, < 2.9.8, >= 2.10.0, < 2.10.3
• MEDIUM6.4CVE-2023-50726Users with `create` but not `override` privileges can perform local sync in argo-cd
  >= 2.9.0, < 2.9.8
• MEDIUM6.3CVE-2023-25163Argo CD leaks repository credentials in user-facing error messages and in logs
  >= 2.6.0-rc1, < 2.6.1
• MEDIUM6.3CVE-2023-25163Argo CD leaks repository credentials in user-facing error messages and in logs
  >= 2.6.0-rc1, < 2.6.1
• MEDIUM5.4CVE-2024-21652Brute force protection bypass in github.com/argoproj/argo-cd/v2
  from 0, < 2.8.13
• MEDIUM5.4CVE-2024-21652Brute force protection bypass in github.com/argoproj/argo-cd/v2
  from 0, < 2.8.13
• MEDIUM5.4CVE-2024-21652Brute force protection bypass in github.com/argoproj/argo-cd/v2
  from 0, < 2.8.13, >= 2.9.0, < 2.9.9, >= 2.10.0, < 2.10.4
• MEDIUM5.3CVE-2024-37152Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd
  >= 2.9.3, < 2.9.17, >= 2.10.0, < 2.10.12, >= 2.11.0, < 2.11.3
• MEDIUM5.3CVE-2022-41354Argo CD authenticated but unauthorized users may enumerate Application names via the API
  from 0, < 2.4.28, >= 2.5.0, < 2.5.16, >= 2.6.0, < 2.6.7
• MEDIUM5.3CVE-2022-41354Argo CD authenticated but unauthorized users may enumerate Application names via the API
  >= 2.5.0, < 2.5.16
• MEDIUM5.0CVE-2023-40026Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server in github.com/argoproj/argo-cd
  from 0, < 2.3.0
• MEDIUM5.0CVE-2023-40026Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server in github.com/argoproj/argo-cd
  from 0, < 2.3.0
• MEDIUM4.8CVE-2024-31990Argo CD's API server does not enforce project sourceNamespaces
  >= 2.4.0, < 2.8.16, >= 2.9.0, < 2.9.12, >= 2.10.0, < 2.10.7
• MEDIUM4.8CVE-2024-31990Argo CD's API server does not enforce project sourceNamespaces
  >= 2.4.0, < 2.8.16
• MEDIUM4.7CVE-2024-41666The Argo CD web terminal session does not handle the revocation of user permissions properly in github.com/argoproj/argo-cd
  >= 2.6.0, < 2.9.21, >= 2.10.0, < 2.10.16, >= 2.11.0, < 2.11.7
• MEDIUM4.7CVE-2024-41666The Argo CD web terminal session does not handle the revocation of user permissions properly in github.com/argoproj/argo-cd
  >= 2.6.0, < 2.9.21
• MEDIUM4.7CVE-2021-23347Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd
  from 0, < 1.7.13
• MEDIUM4.3CVE-2024-36106Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd
  from 0, < 2.9.17, >= 2.10.0, < 2.10.12, >= 2.11.0, < 2.11.3
• MEDIUM4.3CVE-2022-31036Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server in github.com/argoproj/argo-cd
  from 0, < 2.1.16, >= 2.2.0, < 2.2.10, >= 2.3.0, < 2.3.5, >= 2.4.0, < 2.4.1
• MEDIUM4.3CVE-2022-31036Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server in github.com/argoproj/argo-cd
  from 0, < 2.1.16
• MEDIUM4.3CVE-2022-24905Login screen allows message spoofing if SSO is enabled in github.com/argoproj/argo-cd
  >= 2.0.0, < 2.1.15, >= 2.2.0, < 2.2.9, >= 2.3.0, < 2.3.4
• MEDIUM4.3CVE-2022-24905Login screen allows message spoofing if SSO is enabled in github.com/argoproj/argo-cd
  >= 2.3.0, < 2.3.4
• MEDIUM4.3CVE-2022-24904Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server in github.com/argoproj/argo-cd
  from 0, < 2.1.15, >= 2.2.0, < 2.2.9, >= 2.3.0, < 2.3.4
• MEDIUM4.3CVE-2022-24904Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server in github.com/argoproj/argo-cd
  from 0, < 2.1.15
• LOW2.6CVE-2022-31102Argo CD SSO users vulnerable to Cross-site Scripting in github.com/argoproj/argo-cd
  >= 2.3.0, < 2.3.6, >= 2.4.0, < 2.4.5