QwikSec

Security Database

CVE

CWE

Training

CVE-2026-23960

Published: Jan 21, 2026

Modified: Jan 22, 2026

PUBLISHED

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.

Vendor	Product	Versions
argoproj	argo-workflows	affected `< 3.6.17` affected `>= 3.7.0, < 3.7.8`

Weaknesses (CWE)

References

https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82

x_refsource_CONFIRM

https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17

x_refsource_MISC

https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244

x_refsource_MISC

https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17

x_refsource_MISC

https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.