Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-h98r-wv3h-fr38 | Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation |
Thu, 16 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 16 Jul 2026 00:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Argoproj
Argoproj argo-cd |
|
| Vendors & Products |
Argoproj
Argoproj argo-cd |
Wed, 15 Jul 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to 3.2.12, 3.3.10, and 3.4.2, Argo CD users with application write access can set link.argocd.argoproj.io/* annotations whose pipe-separated values are rendered by ui/src/app/applications/components/application-summary/application-summary.tsx in the Summary tab URLs section as anchor href values without URL validation, allowing javascript: execution in a higher-privileged user's authenticated Argo CD origin session. This issue is fixed in versions 3.2.12, 3.3.10, and 3.4.2. | |
| Title | Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation | |
| Weaknesses | CWE-79 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-16T15:12:45.158Z
Reserved: 2026-05-13T06:54:34.219Z
Link: CVE-2026-45738
Updated: 2026-07-16T14:52:25.078Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T23:45:15Z
Github GHSA