Kyverno - 23 CVEs (Page 1/1)

About “Kyverno”

A curated feed of “Kyverno”-related CVEs appears below. We currently track 23 CVEs for this tag (all time). In the last 365 days, 11 were published. Average CVSS is 7.0 (all time; 8.2 over 365d), and 61% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-863 - Incorrect Authorization, CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-617 - Reachable Assertion.

In our taxonomy this topic maps to a MODERATE impact class. Container and Kubernetes fixes usually require image rebuilds and control plane or node upgrades. Prioritize exposed surfaces, restart workloads on patched bases, and tighten RBAC and NetworkPolicies. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: kyverno

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	EOL
1.17	2026-02-02	1.17.2	-
1.16	2025-11-10	1.16.4	-
1.15	2025-07-31	1.15.20	-
1.14	2025-04-24	1.14.5	2026-02-02 Expired
1.13	2024-10-29	1.13.6	2025-11-10 Expired
1.12	2024-04-26	1.12.7	2025-07-31 Expired
1.11	2023-11-10	1.11.5	2025-04-25 Expired
1.10	2023-05-30	1.10.7	2024-10-29 Expired
1.9	2023-02-01	1.9.5	2024-04-26 Expired
1.8	2022-10-10	1.8.5	2023-11-10 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “Kyverno” · RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2026-05-12

Medium

CVE-2026-44245

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentio…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2026-04-24

High

CVE-2026-41485

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user wit…

CVSS: 7.7 CWE: CWE-617 - Reachable Assertion View on NVD

High

CVE-2026-41323

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attache…

CVSS: 8.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD

High

CVE-2026-41068

Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating t…

CVSS: 7.7 CWE: CWE-863 - Incorrect Authorization View on NVD

2026-04-21

High

CVE-2026-40868

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno c…

CVSS: 8.1 CWE: CWE-922 - Insecure Storage of Sensitive Information View on NVD

2026-03-30

Critical

CVE-2026-4789

Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.

CVSS: 9.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD

2026-01-27

High

CVE-2026-23881

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users wit…

CVSS: 7.7 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD

Critical

CVE-2026-22039

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall…

CVSS: 9.9 CWE: CWE-269 - Improper Privilege Management View on NVD

2026-01-21

High

CVE-2026-22822

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecr…

CVSS: 8.8 CWE: CWE-863 - Incorrect Authorization View on NVD

2025-10-10

High

CVE-2025-62159

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implement…

CVSS: 8.7 CWE: CWE-284 - Improper Access Control View on NVD

2025-07-23

High

CVE-2025-47281

Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath vari…

CVSS: 7.7 CWE: CWE-20 - Improper Input Validation View on NVD

2025-04-30

High

CVE-2025-46342

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statem…

CVSS: 8.5 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD

2025-03-24

Medium

CVE-2025-29778

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with k…

CVSS: 5.8 CWE: CWE-285 - Improper Authorization View on NVD

2024-10-29

Low

CVE-2024-48921

Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By des…

CVSS: 2.7 CWE: CWE-285 - Improper Authorization View on NVD

2023-11-14

High

CVE-2023-47630

Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker…

CVSS: 7.1 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD

2023-11-13

Medium

CVE-2023-42816

Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary…

CVSS: 6.1 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD

Low

CVE-2023-42815

CVSS: 3.1 CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop') View on NVD

Low

CVE-2023-42814

Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Nota…

CVSS: 3.1 CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop') View on NVD

Medium

CVE-2023-42813

CVSS: 6.1 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD

2023-06-01

Medium

CVE-2023-34091

Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existin…

CVSS: 6.5 CWE: CWE-285 - Improper Authorization View on NVD

2023-05-30

Medium

CVE-2023-33191

Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. Thi…

CVSS: 4.6 CWE: CWE-284 - Improper Access Control View on NVD

2022-12-23

High

CVE-2022-47633

An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD

2021-11-12

High

CVE-2021-41254

kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize. Us…

CVSS: 8.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD