CVE-2026-23960 HIGH

CVE-2026-23960: Argo Workflows affected by stored XSS in the artifact directory listing

Vendor Argoproj
Product argo-workflows
Weakness CWE-79 · XSS
Published January 21, 2026
Last update June 30, 2026
View on NVD All CVEs

CVSS base score

7.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.

Key dates

02Disclosure timeline

January 21, 2026 CVE published
June 30, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-30948 Parse Server has stored cross-site scripting (XSS) via SVG file upload CVE-2025-11883 Responsive Progress Bar <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-8730 Exit Notifier <= 1.10.4 - Reflected Cross-Site Scripting CVE-2025-11819 WP-Thumbnail <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2021-1582 Cisco Application Policy Infrastructure Controller Stored Cross-Site Scripting Vulnerability