Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated valuesFrom references in Helm Deployer in github.com/rancher/fleet
valuesFrom
{ "review_status": "UNREVIEWED", "url": "https://pkg.go.dev/vuln/GO-2026-5877" }
"https://vuln.go.dev/ID/GO-2026-5877.json"