Suggestions search

Published

Filter by:

With package: python313Packages.kestra

Found 3 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-34612

10.0 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 19 hours ago by @LeSuisse Activity log

Created automatic suggestion 1 week ago
@LeSuisse accepted 19 hours ago
@LeSuisse published on GitHub 19 hours ago

Kestra: Remote Code Execution via SQL Injection

Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.

References

https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x x_refsource_CONFIRM
https://github.com/kestra-io/kestra/commit/3926762795df8ad3e03924b370c51832ed3a21d3 x_refsource_MISC
https://github.com/kestra-io/kestra/releases/tag/v1.3.7 x_refsource_MISC

Affected products

kestra

==< 1.3.7

Matching in nixpkgs

pkgs.python312Packages.kestra

Infinitely scalable orchestration and scheduling platform, creating, running, scheduling, and monitoring millions of complex pipelines

nixos-25.11 1.1.0
- nixos-25.11-small 1.1.0
- nixpkgs-25.11-darwin 1.1.0

pkgs.python313Packages.kestra

Infinitely scalable orchestration and scheduling platform, creating, running, scheduling, and monitoring millions of complex pipelines

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0
nixos-25.11 1.1.0
- nixos-25.11-small 1.1.0
- nixpkgs-25.11-darwin 1.1.0

pkgs.python314Packages.kestra

Infinitely scalable orchestration and scheduling platform, creating, running, scheduling, and monitoring millions of complex pipelines

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

Package maintainers

@DataHearth DataHearth <dev@antoine-langlois.net>

Permalink CVE-2026-33664

7.3 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 2 weeks ago by @LeSuisse Activity log

Created automatic suggestion 2 weeks, 1 day ago
@LeSuisse accepted 2 weeks, 1 day ago
@LeSuisse published on GitHub 2 weeks ago

Kestra Vulnerable to Stored Cross-Site Scripting via Flow YAML Fields

Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields — description, inputs[].displayName, inputs[].description — through the Markdown.vue component instantiated with html: true. The resulting HTML is injected into the DOM via Vue's v-html without any sanitization. This allows a flow author to embed arbitrary JavaScript that executes in the browser of any user who views or interacts with the flow. This is distinct from GHSA-r36c-83hm-pc8j / CVE-2026-29082, which covers only FilePreview.vue rendering .md files from execution outputs. The present finding affects different components, different data sources, and requires significantly less user interaction (zero-click for input.displayName). As of time of publication, it is unclear if a patch is available.

References

https://github.com/kestra-io/kestra/security/advisories/GHSA-v2mc-8q95-g7hp x_refsource_CONFIRM

Affected products

kestra

==<= 1.3.3

Matching in nixpkgs

pkgs.python312Packages.kestra

Infinitely scalable orchestration and scheduling platform, creating, running, scheduling, and monitoring millions of complex pipelines

nixos-25.11 1.1.0
- nixos-25.11-small 1.1.0
- nixpkgs-25.11-darwin 1.1.0

pkgs.python313Packages.kestra

Infinitely scalable orchestration and scheduling platform, creating, running, scheduling, and monitoring millions of complex pipelines

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0
nixos-25.11 1.1.0
- nixos-25.11-small 1.1.0
- nixpkgs-25.11-darwin 1.1.0

pkgs.python314Packages.kestra

Infinitely scalable orchestration and scheduling platform, creating, running, scheduling, and monitoring millions of complex pipelines

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

Package maintainers

@DataHearth DataHearth <dev@antoine-langlois.net>

Upstream advisory: https://github.com/kestra-io/kestra/security/advisories/GHSA-v2mc-8q95-g7hp

Permalink CVE-2026-29082

7.3 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 1 month ago by @mweinelt Activity log

Created automatic suggestion 1 month ago
@mweinelt accepted 1 month ago
@mweinelt published on GitHub 1 month ago

Kestra: Stored Cross-Site Scripting in Markdown File Preview

Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html without sanitisation. At time of publication, there are no publicly available patches.