Product

Argo CD

3 briefs RSS

Argo CD Stored XSS in Application Link Annotations Enables Privilege Escalation

Argo CD is vulnerable to stored cross-site scripting (XSS) via manipulated application link annotations, allowing a low-privileged user to execute arbitrary JavaScript in a higher-privileged user's session, leading to privilege escalation.

Argo CD xss privilege-escalation argocd cloud

2r 1t May 19, 2026

critical advisory

ArgoCD ServerSideDiff Secret Extraction Vulnerability

2 rules 1 TTP

A missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism, affecting versions v3.2.0-v3.2.10 and v3.3.0-v3.3.8.

argo-cd argocd secret-extraction kubernetes credential-access

2r 1t May 7, 2026

medium advisory

Argo CD Information Disclosure Vulnerability

2 rules 2 TTPs

A remote, authenticated attacker can exploit a vulnerability in Argo CD to disclose sensitive information.

argo cd argocd information-disclosure cloud

2r 2t May 6, 2026