Kubernetes CVE Tracker
High- and critical-severity CVEs affecting kubernetes/kubernetes, cilium/cilium, containerd/containerd, falcosecurity/falco, and kyverno/kyverno. Pages publish within 24 hours of public disclosure with impact, affected versions, detection guidance, and mitigation.
Last reviewed: — 19 CVEs tracked
| CVE | Severity | Projects | Disclosed | Summary |
|---|---|---|---|---|
| CVE-2026-41520 | HIGH7.9 | cilium | Sensitive information included in cilium-bugtool debug archive | |
| CVE-2026-41485 | HIGH7.7 | kyverno | Kyverno Controller Denial of Service via forEach Mutation Panic | |
| CVE-2026-41323 | HIGH8.1 | kyverno | ServiceAccount token leaked to external servers via apiCall service URL | |
| CVE-2026-41068 | HIGH7.7 | kyverno | Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix) | |
| CVE-2026-40868 | HIGH8.1 | kyverno | kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token | |
| CVE-2026-4789 | HIGH8.5 | kyverno | SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access | |
| CVE-2026-22039 | CRITICAL10.0 | kyverno | Kyverno Cross-Namespace Privilege Escalation via Policy apiCall | |
| CVE-2026-23881 | HIGH7.7 | kyverno | Kyverno Denial of Service via Context Variable Amplification in Policy Engine | |
| CVE-2025-47281 | HIGH7.7 | kyverno | Kyverno Denial of Service via Improper JMESPath Variable Evaluation | |
| CVE-2025-47290 | CRITICAL | containerd | Host filesystem access during image unpack | |
| CVE-2025-46342 | HIGH8.6 | kyverno | Bypass of policy rules that use namespace selectors in match statements | |
| CVE-2024-37307 | HIGH7.9 | cilium | Sensitive information leak in cilium-bugtool | |
| CVE-2024-28860 | HIGH8.0 | cilium | Insecure IPsec transport encryption in Cilium | |
| CVE-2024-28248 | HIGH7.2 | cilium | Intermittent HTTP policy bypass | |
| CVE-2023-47630 | HIGH7.1 | kyverno | Attacker can cause Kyverno user to unintentionally consume insecure image | |
| CVE-2023-29002 | HIGH7.2 | cilium | Debug mode leaks confidential data in Cilium | |
| CVE-2022-47633 | HIGH | kyverno | Bypass of verifyImages rule possible with malicious proxy/registry | |
| CVE-2022-29179 | HIGH7.6 | cilium | User with root privileges on node can leverage permissions of Cilium ClusterRole | |
| CVE-2021-43816 | HIGH | containerd | containerd CRI plugin: Unprivileged pod using `hostPath` can side-step SELinux |
How the Tracker Works
- Polls GitHub Security Advisories (GHSA) for the five upstream projects on an hourly cron.
- Auto-publishes HIGH and CRITICAL CVEs as pull requests for human review before merge.
- Each page contains only facts from the GHSA payload — affected versions, fixed versions, severity, references — plus prose impact / detection / mitigation derived from the same payload.
- MEDIUM and LOW are not currently tracked individually.
- Pages are immutable URLs — when a CVE is updated upstream, the page is refreshed in place rather than re-published at a new path.