pkg:Bitnami/kyverno

All known vulnerabilities

• CRITICAL9.9CVE-2026-22039Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
  from 0, < 1.15.3, >= 1.16.0, < 1.16.3
• HIGH8.5CVE-2026-4789Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access
  >= 1.16.0, < 1.17.2
• HIGH8.5CVE-2025-46342Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements in github.com/kyverno/kyverno
  from 0, < 1.13.5
• HIGH8.1CVE-2026-41323Kyverno: ServiceAccount token leaked to external servers via apiCall service URL
  from 0, < 1.16.4, >= 1.17.0, < 1.17.2
• HIGH8.1CVE-2026-40868kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token
  from 0, < 1.16.4
• HIGH8.1CVE-2022-47633kyverno verifyImages rule bypass possible with malicious proxy/registry
  >= 1.8.3, <= 1.8.3, >= 1.8.4, <= 1.8.4
• HIGH7.7CVE-2026-41485Kyverno Controller Denial of Service via forEach Mutation Panic
  from 0, < 1.16.4, >= 1.17.0, < 1.17.2
• HIGH7.7CVE-2026-41068Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)
  from 0, < 1.17.2
• HIGH7.7CVE-2026-23881Kyverno Denial of Service via Context Variable Amplification in Policy Engine
  from 0, < 1.15.3, >= 1.16.0, < 1.16.3
• HIGH7.7CVE-2025-47281Kyverno's Improper JMESPath Variable Evaluation Lead to Denial of Service in github.com/kyverno/kyverno
  from 0, < 1.14.2
• HIGH7.5CVE-2024-48921Kyverno's PolicyException objects can be created in any namespace by default in github.com/kyverno/kyverno
  from 0, < 1.13.0
• HIGH7.1CVE-2023-47630Attacker can cause Kyverno user to unintentionally consume insecure image
  from 0, < 1.10.5
• MEDIUM6.1CVE-2026-44245Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component
  from 0, < 2.5.2
• MEDIUM5.8CVE-2025-29778Kyverno ignores subjectRegExp and IssuerRegExp
  from 0, < 1.14.0