Skip to main content

Spinnaker

5 CVEs product

Monthly

CVE-2026-55175 HIGH PATCH This Week

Remote code execution in Spinnaker's Rosco bakery service allows an authenticated user to run arbitrary code on Rosco pods by supplying a manifest that abuses unsafe YAML tag processing during Kustomize bake operations. The flaw (CWE-502 unsafe deserialization) affects release lines prior to 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4, and grants full compromise of the affected pod (C:H/I:H/A:H). No public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor-published GitHub Security Advisory (GHSA-p68j-q7hf-3qcp) and multiple fix commits confirm the issue is real and patched.

Deserialization RCE Spinnaker
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-32604 Maven CRITICAL PATCH GHSA Act Now

Remote code execution in Spinnaker's clouddriver component allows authenticated attackers to execute arbitrary commands on clouddriver pods via gitrepo artifact processing. Affects all versions prior to patched releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. The vulnerability enables credential theft, file manipulation, and resource injection with minimal complexity (CVSS 9.9, AV:N/AC:L/PR:L). EPSS data not available; no public exploit or active exploitation confirmed at time of analysis, but the attack simplicity and multi-cloud CD platform context create high risk for supply chain compromise in containerized environments.

Code Injection Spinnaker
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2025-61916 Maven HIGH PATCH This Week

Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. [CVSS 7.9 HIGH]

Docker Kubernetes AWS Gitlab Github +2
NVD GitHub
CVSS 3.1
7.9
EPSS
0.0%
CVE-2023-39348 Go MEDIUM PATCH This Month

Spinnaker is an open source, multi-cloud continuous delivery platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Spinnaker
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2020-9301 HIGH PATCH This Week

Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior to version 1.23.4, 1.22.4 or 1.21.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apple Spinnaker
NVD GitHub
CVSS 3.1
8.8
EPSS
1.5%
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Spinnaker's Rosco bakery service allows an authenticated user to run arbitrary code on Rosco pods by supplying a manifest that abuses unsafe YAML tag processing during Kustomize bake operations. The flaw (CWE-502 unsafe deserialization) affects release lines prior to 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4, and grants full compromise of the affected pod (C:H/I:H/A:H). No public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor-published GitHub Security Advisory (GHSA-p68j-q7hf-3qcp) and multiple fix commits confirm the issue is real and patched.

Deserialization RCE Spinnaker
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution in Spinnaker's clouddriver component allows authenticated attackers to execute arbitrary commands on clouddriver pods via gitrepo artifact processing. Affects all versions prior to patched releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. The vulnerability enables credential theft, file manipulation, and resource injection with minimal complexity (CVSS 9.9, AV:N/AC:L/PR:L). EPSS data not available; no public exploit or active exploitation confirmed at time of analysis, but the attack simplicity and multi-cloud CD platform context create high risk for supply chain compromise in containerized environments.

Code Injection Spinnaker
NVD GitHub
EPSS 0% CVSS 7.9
HIGH PATCH This Week

Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. [CVSS 7.9 HIGH]

Docker Kubernetes AWS +4
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Spinnaker is an open source, multi-cloud continuous delivery platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Spinnaker
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior to version 1.23.4, 1.22.4 or 1.21.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apple Spinnaker
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy