Vulnerabilities in kestra-io
11 resultsCVE-2026-49869CRITICALKestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`EPSS 0.7%CVE-2026-34612CRITICALKestra: Remote Code Execution via SQL InjectionEPSS 0.7%CVE-2026-53576CRITICALKestra: Unauthenticated RCE via /configs path-suffix auth-filter bypassEPSS 0.5%CVE-2026-49984HIGHKestra: Path traversal in `LocalStorage` allows any authenticated user to read arbitrary server files via the execution file-download API (`\..\` bypasses the `..` guard)EPSS 0.4%CVE-2026-45807HIGHKestra: Path traversal via URL-encoded "%2E%2E" in execution and namespace file endpoints allows arbitrary file readEPSS 0.4%CVE-2026-48129MEDIUMKestra task inputFiles accepts traversal filenames for worker file writesEPSS 0.3%CVE-2026-53577MEDIUMKestra: Cross-Execution File Read via Preview Endpoint (IDOR)EPSS 0.3%CVE-2026-33664HIGHKestra Vulnerable to Stored Cross-Site Scripting via Flow YAML FieldsEPSS 0.3%CVE-2026-29082HIGHKestra: Stored Cross-Site Scripting in Markdown File PreviewEPSS 0.2%CVE-2026-55069HIGHKestra BasicAuth Password Stored as SHA-512 Enables Offline Brute-Force AttackEPSS 0.2%CVE-2025-53543MEDIUMKestra allows Stored XSS before 0.22EPSS 0.2%