github.com/argoproj/argo-cd

HIGH 7.3

Go

CVE-2026-45738

Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation

May 19, 2026

UNKNOWN

Go

CVE-2025-59531

Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload in github.com/argoproj/argo-cd

Oct 23, 2025

UNKNOWN

Go

CVE-2025-59537

argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload in github.com/argoproj/argo-cd

Oct 23, 2025

HIGH 7.7

Go

CVE-2022-24348

Path traversal and dereference of symlinks in Argo CD

Feb 7, 2022

UNKNOWN

Go

CVE-2021-23347

Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd

Aug 21, 2024

MEDIUM 5.3

Go

CVE-2022-41354

Argo CD authenticated but unauthorized users may enumerate Application names via the API

Mar 23, 2023

CRITICAL 9.9

Go

CVE-2022-24768

Improper access control allows admin privilege escalation in Argo CD

Mar 24, 2022

UNKNOWN

Go

CVE-2022-24768

Improper access control allows admin privilege escalation in Argo CD in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2022-1025

Argo CD improper access control bug can allow malicious user to escalate privileges to admin level in github.com/argoproj/argo-cd

Aug 21, 2024

HIGH 8.8

Go

CVE-2022-1025

Argo CD improper access control bug can allow malicious user to escalate privileges to admin level

Jul 13, 2022

UNKNOWN

Go

CVE-2024-37152

Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd

Jun 14, 2024

UNKNOWN

Go

CVE-2023-40026

Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2023-40029

Argo CD cluster secret might leak in cluster details page in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2023-40584

Argo CD repo-server Denial of Service vulnerability in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2018-21034

Argo Exposure of Sensitive Information in github.com/argoproj/argo-cd

Aug 20, 2024

UNKNOWN

Go

CVE-2022-41354

Argo CD authenticated but unauthorized users may enumerate Application names via the API in github.com/argoproj/argo-cd

Aug 20, 2024

UNKNOWN

Go

CVE-2023-23947

Users with any cluster secret update access may update out-of-bounds cluster secrets in github.com/argoproj/argo-cd

Aug 20, 2024

UNKNOWN

Go

CVE-2023-22482

JWT audience claim is not verified in github.com/argoproj/argo-cd

Aug 20, 2024

UNKNOWN

Go

CVE-2023-22736

Controller reconciles apps outside configured namespaces when sharding is enabled in github.com/argoproj/argo-cd

Aug 20, 2024

UNKNOWN

Go

CVE-2020-8827

Improper Restriction of Excessive Authentication Attempts in Argo API in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2020-11576

Observable Discrepancy in Argo in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2022-31105

Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2022-31036

Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2022-31102

Argo CD SSO users vulnerable to Cross-site Scripting in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

GHSA-6w87-g839-9wv7

Helm OCI credentials leaked into Argo CD logs in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2022-24348

Path traversal and dereference of symlinks in Argo CD in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2024-36106

Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd

Jun 28, 2024

UNKNOWN

Go

CVE-2023-40025

Argo CD web terminal session doesn't expire in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2022-31016

DoS through large manifest files in Argo CD in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2022-31035

Argo CD's external URLs for Deployments can include JavaScript in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2022-31034

Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2022-29165

Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2022-24905

Login screen allows message spoofing if SSO is enabled in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2022-24904

Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2022-24731

Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2022-24730

Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd

Aug 21, 2024

UNKNOWN

Go

CVE-2024-40634

Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd

Aug 6, 2024

CRITICAL 9.0

Go

CVE-2024-31989

ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache

May 21, 2024

UNKNOWN

Go

CVE-2025-23216

Argo CD does not scrub secret values from patch errors in github.com/argoproj/argo-cd

Feb 4, 2025

UNKNOWN

Go

CVE-2024-28175

Cross-site scripting on application summary component in github.com/argoproj/argo-cd/v2

Mar 22, 2024

CRITICAL 9.0

Go

CVE-2025-47933

Argo CD allows cross-site scripting on repositories page

May 28, 2025

UNKNOWN

Go

CVE-2025-55190

Argo CD's Project API Token Exposes Repository Credentials in github.com/argoproj/argo-cd

Sep 8, 2025

UNKNOWN

Go

CVE-2024-41666

The Argo CD web terminal session does not handle the revocation of user permissions properly in github.com/argoproj/argo-cd

Aug 6, 2024

UNKNOWN

Go

CVE-2024-31989

ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd

Jun 5, 2024

UNKNOWN

Go

CVE-2024-32476

Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences in github.com/argoproj/argo-cd

Jun 4, 2024

MEDIUM 6.4

Go

CVE-2023-50726

Users with `create` but not `override` privileges can perform local sync

Mar 15, 2024

UNKNOWN

Go

CVE-2023-50726

Bypass manifest during application creation in github.com/argoproj/argo-cd/v2

Mar 22, 2024

CRITICAL 9.0

Go

CVE-2024-28175

Cross-site scripting on application summary component

Mar 15, 2024

UNKNOWN

Go

CVE-2025-47933

Argo CD allows cross-site scripting on repositories page in github.com/argoproj/argo-cd

May 29, 2025

MEDIUM 6.8

Go

CVE-2025-23216

Argo CD does not scrub secret values from patch errors

Jan 30, 2025

UNKNOWN

Go

CVE-2024-31990

Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd

Jun 4, 2024

HIGH 7.5

Go

CVE-2024-40634

Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint

Jul 22, 2024

HIGH 8.3

Go

CVE-2024-22424

github.com/argoproj/argo-cd Cross-Site Request Forgery vulnerability

Jan 19, 2024

HIGH 7.5

Go

CVE-2025-59537

argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload

Sep 30, 2025

HIGH 7.5

Go

CVE-2025-59531

Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload

Sep 30, 2025

UNKNOWN

Go

CVE-2025-55191

Repository Credentials Race Condition Crashes Argo CD Server in github.com/argoproj/argo-cd

Oct 23, 2025

UNKNOWN

Go

CVE-2025-59538

Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook in github.com/argoproj/argo-cd

Oct 23, 2025

HIGH 7.5

Go

CVE-2020-8827

Improper Restriction of Excessive Authentication Attempts in Argo API

Jul 26, 2021

MEDIUM 5.3

Go

CVE-2020-11576

Observable Discrepancy in Argo

Dec 9, 2021

CRITICAL 9.0

Go

CVE-2022-31035

Argo CD's external URLs for Deployments can include JavaScript

Jun 21, 2022

CRITICAL 10.0

Go

CVE-2022-29165

Argo CD will blindly trust JWT claims if anonymous access is enabled

May 24, 2022

LOW 2.6

Go

CVE-2022-31102

Argo CD SSO users vulnerable to Cross-site Scripting

Jul 12, 2022

MEDIUM 4.3

Go

CVE-2022-31036

Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server

Jun 21, 2022

MEDIUM 6.5

Go

CVE-2022-31016

DoS through large manifest files in Argo CD

Jun 21, 2022

HIGH 8.3

Go

CVE-2022-31034

Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params

Jun 21, 2022

HIGH 8.3

Go

CVE-2022-31105

Argo CD certificate verification is skipped for connections to OIDC providers

Jul 12, 2022

MEDIUM 4.3

Go

CVE-2022-24905

Login screen allows message spoofing if SSO is enabled

May 24, 2022

MEDIUM 6.6

Go

GO-2022-0387

Helm OCI credentials leaked into Argo CD logs

May 21, 2021

MEDIUM 5.0

Go

CVE-2023-40026

Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server

Sep 27, 2023

MEDIUM 6.8

Go

CVE-2022-24731

Path traversal allows leaking out-of-bound files from Argo CD repo-server

Mar 24, 2022

HIGH 7.7

Go

CVE-2022-24730

Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server

Mar 24, 2022

CRITICAL 9.1

Go

CVE-2023-23947

Users with any cluster secret update access may update out-of-bounds cluster secrets

Feb 16, 2023

MEDIUM 6.5

Go

CVE-2018-21034

Argo Exposure of Sensitive Information

May 24, 2022

CRITICAL 9.0

Go

CVE-2023-22482

JWT audience claim is not verified

Jan 25, 2023

HIGH 8.8

Go

CVE-2020-8828

Argo CD Insecure default administrative password

Jul 26, 2021

MEDIUM 4.3

Go

CVE-2024-36106

Argo-cd authenticated users can enumerate clusters by name

Jun 6, 2024

HIGH 7.5

Go

CVE-2024-21661

Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment

Mar 18, 2024