Skip to content

HIGH CVE reported by Trivy scan tool for v0.53.2 #981

Open
Open
HIGH CVE reported by Trivy scan tool for v0.53.2#981
Labels
bugThis issue describes a defect or unexpected behaviorcarvel acceptedThis issue should be considered for future work and that the triage process has been completed
@Kisan-hpe

Description

@Kisan-hpe
Kisan-hpe
opened on Mar 26, 2026

The listed CVE for v0.53.2 includes HIGH.
@devanshuVmware Can you check and let us know when the new version with CVE fixes will be available? Our CI pipeline is currently blocked because of this High issues.
Vulnerabilities Summary

/usr/local/bin/ytt (gobinary)

Summary:
Total: 3 (HIGH: 1, MEDIUM: 1, LOW: 1)

Details

Library CVE ID Severity Status Installed Version Fixed Version Description
stdlib CVE-2026-25679 HIGH Fixed v1.25.7 1.25.8, 1.26.1 net/url: Incorrect parsing of IPv6 host literals
stdlib CVE-2026-27142 MEDIUM Fixed v1.25.7 - html/template: URLs in meta content attributes not escaped
stdlib CVE-2026-27139 LOW Fixed v1.25.7 - os: FileInfo can escape from a Root

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis issue describes a defect or unexpected behaviorcarvel acceptedThis issue should be considered for future work and that the triage process has been completed

    Type

    No type

    Projects

    Carvel

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions