Browse all 5 CVE security advisories affecting go-vela. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Go-vela is a continuous delivery platform for containerized applications, enabling automated deployment pipelines. Historically, it has been susceptible to multiple remote code execution vulnerabilities, cross-site scripting flaws, and privilege escalation issues, with five CVEs documented. The platform's web interface and API components have been primary attack vectors, often stemming from improper input validation and insecure default configurations. While no major public security incidents have been widely reported, the consistent pattern of vulnerabilities in early versions highlights the importance of timely updates and hardening. Organizations implementing go-vela should prioritize applying security patches and implementing network segmentation to mitigate potential risks.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-27616 | Vela Server has Insufficient Webhook Payload Data Verification — serverCWE-290 | 8.6 | High | 2025-03-10 |
| CVE-2024-28236 | Insecure Variable Substitution in Vela — workerCWE-532 | 7.7 | High | 2024-03-12 |
| CVE-2022-39395 | Vela Insecure Defaults — serverCWE-269 | 9.6 | Critical | 2022-11-10 |
| CVE-2021-21432 | Reject unauthorized access with GitHub PATs — serverCWE-285 | 7.5 | High | 2021-04-09 |
| CVE-2020-26294 | Exposure of server configuration — compilerCWE-78 | 7.4 | High | 2021-01-04 |
This page lists every published CVE security advisory associated with go-vela. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.