CVE Catalog

CVE-2026-23960

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

26th percentile - higher than 26% of all known CVEs

Summary

Stored XSS vulnerability in Argo Workflows allows arbitrary JavaScript execution in another user's browser via artifact directory listing. Affects versions prior to 3.6.17 and 3.7.8.

Risk Assessment

An attacker can hijack the victim's session and perform API actions with their privileges, leading to unauthorized access to data and resources.

Recommendation

Upgrade Argo Workflows to version 3.6.17 or 3.7.8 immediately, which contain the fix for this vulnerability.

Original NVD description (English source)

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS