Medium
CVE-2026-45021
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin…
Tag: Kuma
All CVEs associated with "Kuma". Page 1/1 • 15 CVEs.
About “Kuma”
A curated feed of “Kuma”-related CVEs appears below. We currently track 15 CVEs for this tag (all time). In the last 365 days, 3 were published. Average CVSS is 6.5 (all time; 5.6 over 365d), and 13% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-346 - Origin Validation Error, CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'), CWE-862 - Missing Authorization.
In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
Support & lifecycle: kuma
This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.
| Cycle | Release | Latest | EOL | LTS |
|---|---|---|---|---|
| 2.13 | 2.13.7 | |||
| 2.12 | 2.12.11 | Soon | ||
| 2.11 | 2.11.14 | Soon | ||
| 2.10 | 2.10.11 | Expired | ||
| 2.9 | 2.9.15 | Soon | ||
| 2.8 | 2.8.8 | Expired | ||
| 2.7 | 2.7.26 | Soon | LTS | |
| 2.6 | 2.6.15 | Expired | ||
| 2.5 | 2.5.11 | Expired | ||
| 2.4 | 2.4.10 | Expired | ||
| 2.3 | 2.3.7 | Expired | ||
| 2.2 | 2.2.9 | Expired | ||
| 2.1 | 2.1.7 | Expired | ||
| 2.0 | 2.0.8 | Expired | ||
| 1.8 | 1.8.8 | Expired | ||
| 1.7 | 1.7.6 | Expired | ||
| 1.6 | 1.6.5 | Expired | ||
| 1.5 | 1.5.5 | Expired | ||
| 1.4 | 1.4.1 | Expired | ||
| 1.3 | 1.3.1 | Expired | ||
| 1.2 | 1.2.3 | Expired |
Maintained Soon (≤ 180 days) Expired
Subscribe lifecycle: RSS · RSS (expired) · ICS
Subscribe CVEs: RSS for “Kuma” · RSS (High+Critical only)
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2026-05-28
2026-03-20
Medium
CVE-2026-33130
Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The…
2026-03-12
Medium
CVE-2026-32230
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested mo…
2025-03-17
Medium
CVE-2025-26042
Uptime Kuma >== 1.23.0 has a ReDoS vulnerability, specifically when an administrator creates a notification through the web service. If a string is provided it triggers catastrophic backtracking in t…
2024-12-20
Medium
CVE-2024-56331
Uptime Kuma is an open source, self-hosted monitoring tool. An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on the server by exploiting the `file:///` pr…
2024-07-25
High
CVE-2024-36542
Insecure permissions in kuma v2.7.0 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
2023-12-11
Medium
CVE-2023-49805
Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid.…
Medium
CVE-2023-49804
Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, when a user changes their login password in Uptime Kuma, a previously logged-in user retains access without being l…
2023-12-01
Medium
CVE-2023-49276
Uptime Kuma is an open source self-hosted monitoring tool. In affected versions the Google Analytics element in vulnerable to Attribute Injection leading to Cross-Site-Scripting (XSS). Since the cust…
2023-10-09
Medium
CVE-2023-44400
Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can gain persistent account access. This is caused by missing verification of Session T…
2023-07-05
Medium
CVE-2023-36822
Uptime Kuma, a self-hosted monitoring tool, has a path traversal vulnerability in versions prior to 1.22.1. Uptime Kuma allows authenticated users to install plugins from an official list of plugins.…
High
CVE-2023-36821
Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma…
2023-04-04
Medium
CVE-2023-26777
Cross Site Scripting vulnerability found in : louislam Uptime Kuma v.1.19.6 and before allows a remote attacker to execute arbitrary commands via the description, title, footer, and incident creation…
2023-02-21
Medium
CVE-2023-25811
Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma `name` parameter allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds…
Medium
CVE-2023-25810
Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status page allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for…