VDB
KO

GO-2026-5875

Rancher vulnerable to command injection through unsanitized YAML parameter in github.com/rancher/rancher

Details

Rancher vulnerable to command injection through unsanitized YAML parameter in github.com/rancher/rancher.

NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.

(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)

The additional affected modules and versions are: github.com/rancher/rancher from v2.10.0 before v2.10.12, from v2.11.0 before v2.11.14, from v2.12.0 before v2.12.10, from v2.13.0 before v2.13.6, from v2.14.0 before v2.14.2.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/rancher/rancher
Introduced in: 0 Fixed in: 0.0.0-20260617231817-2aa77eb283e7
Fix go get github.com/rancher/rancher@v0.0.0-20260617231817-2aa77eb283e7

References