XSS in Argoproj Argo-workflows

CVE-2026-23960

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitra…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (18.4th percentile) — read the EPSS interpretation.

Affected products

Argoproj Argo-workflows — versions < 3.6.17, >= 3.7.0, < 3.7.8

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82 (x_refsource_CONFIRM)
https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17 (x_refsource_MISC)
https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244 (x_refsource_MISC)
https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17 (x_refsource_MISC)
https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8 (x_refsource_MISC)