Vulnerability Report

CVE-2026-23960

Title: Stored XSS in Argo Workflows

XSS

Proof Of Concept

No public PoC currently indexed for CVE-2026-23960.

CWE Category CWE-79

Published Date Jan 21, 2026

Modified Date Feb 17, 2026

Exploit Status Not Found

Score 7.3 CVSS v4.0

Exploit Probability (EPSS)

0.25%

Vulnerability Summary

CVE-2026-23960: Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.

Impacted Vendors

argoproj 1

Reference Links

https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244 https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17 https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17 https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8 https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82

CVSS v4.0

Source Entity [email protected]

Severity HIGH

7.3

Attack Vector

NETWORK

Complexity

HIGH

Privileges

N/A

Interaction

ACTIVE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

N/A

RAW VECTOR

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

5.4

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

REQUIRED

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns