Browse all 4 CVE security advisories affecting kestra-io. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Kestra-io is an open-source workflow automation platform designed for orchestrating complex data pipelines and infrastructure tasks. Historically, it has been susceptible to remote code execution vulnerabilities, cross-site scripting flaws, and privilege escalation issues, with four CVEs documented to date. The platform's security posture is characterized by its containerized execution environment, which helps contain potential impacts. While no major public security incidents have been reported, the presence of RCE vulnerabilities in past versions highlights the importance of timely updates and proper input validation in workflow definitions.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-34612 | Kestra: Remote Code Execution via SQL Injection — kestraCWE-89 | 10.0 | Critical | 2026-04-03 |
| CVE-2026-33664 | Kestra Vulnerable to Stored Cross-Site Scripting via Flow YAML Fields — kestraCWE-79 | 7.3 | High | 2026-03-26 |
| CVE-2026-29082 | Kestra: Stored Cross-Site Scripting in Markdown File Preview — kestraCWE-79 | 7.3 | High | 2026-03-06 |
| CVE-2025-53543 | Kestra allows Stored XSS before 0.22 — kestraCWE-79 | 4.2 | Medium | 2025-07-07 |
This page lists every published CVE security advisory associated with kestra-io. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.