High
CVE-2026-33414
Podman is a tool for managing OCI containers and pods. Versions 4.8.0 through 5.8.1 contain a command injection vulnerability in the HyperV machine backend in pkg/machine/hyperv/stubber.go, where the…
Tag: Podman
All CVEs associated with "Podman". Page 1/1 • 34 CVEs.
About “Podman”
A curated feed of “Podman”-related CVEs appears below. We currently track 34 CVEs for this tag (all time). In the last 365 days, 10 were published. Average CVSS is 6.8 (all time; 7.7 over 365d), and 56% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), CWE-209 - Generation of Error Message Containing Sensitive Information.
In our taxonomy this topic maps to a MODERATE impact class. Container and Kubernetes fixes usually require image rebuilds and control plane or node upgrades. Prioritize exposed surfaces, restart workloads on patched bases, and tighten RBAC and NetworkPolicies. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
Support & lifecycle: podman
This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.
| Cycle | Release | Latest | EOL | LTS |
|---|---|---|---|---|
| 5.8 | 5.8.2 | - | ||
| 5.7 | 5.7.1 | Expired | ||
| 5.6 | 5.6.2 | Expired | ||
| 5.5 | 5.5.2 | Expired | ||
| 5.4 | 5.4.2 | Expired | ||
| 5.3 | 5.3.2 | Expired | ||
| 5.2 | 5.2.5 | Expired | ||
| 5.1 | 5.1.2 | Expired | ||
| 5.0 | 5.0.3 | Expired | ||
| 4.9 | 4.9.5 | - Expired | ||
| 4.8 | 4.8.3 | - Expired | ||
| 4.7 | 4.7.2 | - Expired | ||
| 4.6 | 4.6.2 | - Expired | ||
| 4.5 | 4.5.1 | - Expired | ||
| 4.4 | 4.4.4 | - Expired | ||
| 4.3 | 4.3.1 | - Expired | ||
| 4.2 | 4.2.1 | - Expired | ||
| 4.1 | 4.1.1 | - Expired | ||
| 4.0 | 4.0.3 | - Expired | ||
| 3.4 | 3.4.7 | - Expired | ||
| 3.3 | 3.3.1 | - Expired | ||
| 3.2 | 3.2.3 | - Expired | ||
| 3.1 | 3.1.2 | - Expired | ||
| 3.0 | 3.0.2 | - Expired |
Maintained Soon (≤ 180 days) Expired
Subscribe lifecycle: RSS · RSS (expired) · ICS
Subscribe CVEs: RSS for “Podman” · RSS (High+Critical only)
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2026-04-14
2026-04-07
High
CVE-2026-34045
Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigg…
2026-03-23
High
CVE-2026-33046
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX synta…
2026-01-28
High
CVE-2026-24835
Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass vulnerability in Podman Desktop prior to version 1.25.1 allows any extension to comple…
2025-09-18
High
CVE-2023-49565
The cbis_manager Podman container is vulnerable to remote command execution via the /api/plugins endpoint. Improper sanitization of the HTTP Headers X-FILENAME, X-PAGE, and X-FIELD allows for command…
High
CVE-2023-49564
The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions. This flaw allows…
2025-09-16
High
CVE-2025-4953
A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the contai…
2025-09-05
High
CVE-2025-9566
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a…
2025-07-28
Low
CVE-2025-8283
A vulnerability was found in the netavark package, a network stack for containers used with Podman. Due to dns.podman search domain being removed, netavark may return external servers if a valid A/AA…
2025-06-24
High
CVE-2025-6032
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
2025-02-27
Medium
CVE-2024-57974
In the Linux kernel, the following vulnerability has been resolved: udp: Deal with race between UDP socket address change and rehash If a UDP socket changes its local address while it's receiving d…
2025-01-22
High
CVE-2024-11218
A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might miti…
2024-12-24
High
CVE-2024-12582
A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud en…
2024-10-15
Medium
CVE-2024-9676
A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of ser…
2024-08-02
High
CVE-2024-3056
A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configured to share the same IPC with at least one other container, can create a large…
2024-03-18
High
CVE-2024-1753
A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dumm…
2023-03-29
Medium
CVE-2023-25809
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons:…
2023-03-27
Medium
CVE-2023-0778
A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for acces…
2022-09-13
High
CVE-2022-2989
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to t…
2022-09-01
Medium
CVE-2022-2739
The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-14370, which was previously fi…
High
CVE-2022-2738
The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-8945, which was previously fix…
2022-06-09
Medium
CVE-2019-25067
A vulnerability, which was classified as critical, was found in Podman and Varlink 1.5.1. This affects an unknown part of the component API. The manipulation leads to Remote Privilege Escalation. It…
2022-04-29
High
CVE-2022-1227
A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability…
2022-04-04
High
CVE-2022-27649
A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly…
2021-12-23
Medium
CVE-2021-4024
A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` A…
2021-05-27
Low
CVE-2020-1702
A malicious container image can consume an unbounded amount of memory when being pulled to a container runtime host, such as Red Hat Enterprise Linux using podman, or OpenShift Container Platform. An…
2021-02-11
High
CVE-2021-20188
A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the c…
2021-02-02
Medium
CVE-2021-20199
Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) c…
2020-09-23
Medium
CVE-2020-14370
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are cr…
2020-02-11
Medium
CVE-2020-1726
A flaw was discovered in Podman where it incorrectly allows containers when created to overwrite existing files in volumes, even if they are mounted as read-only. When a user runs a malicious contain…
2019-11-25
Medium
CVE-2019-10214
The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections…
2019-10-28
Medium
CVE-2019-18466
An issue was discovered in Podman in libpod before 1.6.0. It resolves a symlink in the host context during a copy operation from the container to the host, because an undesired glob operation occurs.…
2019-07-30
High
CVE-2019-10152
A path traversal vulnerability has been discovered in podman before version 1.4.0 in the way it handles symlinks inside containers. An attacker who has compromised an existing container can cause arb…
2018-07-03
Medium
CVE-2018-10856
It has been discovered that podman before version 0.6.1 does not drop capabilities when executing a container as a non-root user. This results in unnecessary privileges being granted to the container.