CNNVD-202602-2066 Information
Feb 12, 2026
cve
CNNVD ID
CNNVD-202602-2066
Related CVE
- CNNVD Published: 2026-02-12
Description (Chinese)
yoke是YokeCD开源的一个Kubernetes包管理工具。 Yoke 0.19.0及之前版本存在代码注入漏洞,该漏洞源于Air Traffic Controller组件缺乏适当的URL验证,允许具有CR创建或更新权限的用户通过注入恶意URL执行任意WASM代码,可能导致创建任意Kubernetes资源或权限提升。
Description (English)
Yoke is a Kubernetes package management tool for YokeCD open source. Yoke 0.19.0 and previous versions had a code-infusion loophole, which stemmed from the lack of proper URL validation for the Air Traffic Contractor component, allowing users with CR creation or updating permission to implement any WSM code by injecting malicious URLs, which could lead to the creation of any Kubernetes resource or permit enhancement.
Vulnerability Type
代码注入
Affected Vendor
YokeCD
Published
2026-02-12
Last Modified
2026-02-24
References
https://github.com/yokecd/yoke/security/advisories/GHSA-wj8p-jj64-h7ff
Patch
https://github.com/yokecd/yoke/releases
Share on: