CVE-2026-23960

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-23960
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23960.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23960
Aliases
Downstream
Related
Published
2026-01-21T22:02:50.491Z
Modified
2026-03-01T02:56:44.141862Z
Severity
  • 7.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Argo Workflows affected by stored XSS in the artifact directory listing
Details

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23960.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/argoproj/argo-workflows

Affected ranges

Type
GIT
Repo
https://github.com/argoproj/argo-workflows
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0b991b47bf64a116bb78ef1e8aa655352d737428
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.6.17"
        }
    ]
}
Type
GIT
Repo
https://github.com/argoproj/argo-workflows
Events
Introduced
d1d689b367c4c8a5a8a095ae60b5d7043f99eda9
Fixed
add2c5456be4d0858639067d28b38d9199e3ae63
Database specific 
{
    "versions": [
        {
            "introduced": "3.7.0"
        },
        {
            "fixed": "3.7.8"
        }
    ]
}

Affected versions

Other
ui-v3-rc1
v2.*
v2.0.0
v2.0.0-alpha1
v2.0.0-alpha2
v2.0.0-alpha3
v2.0.0-beta1
v2.1.0
v2.1.0-alpha1
v2.1.0-beta1
v2.1.0-beta2
v2.1.1
v2.10.0-rc1
v2.2.0
v2.2.1
v2.3.0-rc1
v2.3.0-rc2
v2.3.0-rc3
v3.*
v3.1.0-rc1
v3.2.0-rc1
v3.2.0-rc2
v3.2.0-rc3
v3.2.0-rc4
v3.3.0-rc1
v3.3.0-rc2
v3.3.0-rc3
v3.3.0-rc4
v3.3.0-rc5
v3.3.0-rc6
v3.3.0-rc7
v3.3.0-rc8
v3.4.0-rc1
v3.4.0-rc2
v3.4.0-rc3
v3.4.0-rc4
v3.5.0
v3.5.0-rc1
v3.5.0-rc2
v3.6.0
v3.6.0-rc1
v3.6.0-rc2
v3.6.0-rc3
v3.6.0-rc4
v3.6.10
v3.6.11
v3.6.12
v3.6.13
v3.6.14
v3.6.15
v3.6.16
v3.6.2
v3.6.3
v3.6.4
v3.6.5
v3.6.6
v3.6.7
v3.6.8
v3.6.9
v3.7.0
v3.7.0-rc4
v3.7.1
v3.7.2
v3.7.3
v3.7.4
v3.7.5
v3.7.6
v3.7.7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23960.json"