QSearchQSearch

CVE-2026-46618

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes

Published: 2026-06-10 · Last updated: 2026-06-10

Severity and scoring

CWE
CWE-250, CWE-269, CWE-78

Description

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, before the round-1 security sweep, pkg/builder/builder.go passed Environment.spec.builder.command directly into exec.Command(...) after a strings.Fields split, with no validation of the executable path or its arguments. A user who could create or update Environment CRDs in a namespace observed by the buildermgr could thereby point the builder pod at any executable inside the builder image (e.g. /bin/sh -c '...') and execute arbitrary code in the builder pod context. This issue has been patched in version 1.23.0.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-49219 ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
  • CVE-2026-42563 Dulwich is a pure-Python implementation of the Git file formats and protocols
  • CVE-2026-0273 A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrict...
  • CVE-2026-6893 A flaw was found in dracut (8.8 HIGH)
  • CVE-2026-46643 Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page