Argo CD Security-Hardened Images

Security Scan 2026-06-01

Argo CD security-hardened images include precisely what is needed to run Argo CD. As a result, we build smaller-sized images with a reduced number of CVEs. By not including a package manager and inserting the needed runtime dependencies, the attack surface is significantly reduced.

Below you will find the weekly-updated security scans of Akuity's security-hardened Argo CD images compared with the open source images.

Akuity v2.14.21-distroless vs Argo CD v2.14.21

Full list of open source Argo CD vulnerabilities in this release

`quay.io/akuity/argocd:v2.14.21-distroless`

Vulnerabilities (13)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`git-lfs`	CVE-2025-68121	CRITICAL	3.7.1-r0	3.7.1-r4
`git-lfs`	CVE-2025-61726	HIGH	3.7.1-r0	3.7.1-r3
`git-lfs`	CVE-2025-61731	HIGH	3.7.1-r0	3.7.1-r3
`git-lfs`	CVE-2025-61732	HIGH	3.7.1-r0	3.7.1-r4
`git-lfs`	CVE-2026-27140	HIGH	3.7.1-r0	3.7.1-r9
`git-lfs`	CVE-2026-32280	HIGH	3.7.1-r0	3.7.1-r9
`git-lfs`	CVE-2026-32281	HIGH	3.7.1-r0	3.7.1-r9
`git-lfs`	CVE-2026-32283	HIGH	3.7.1-r0	3.7.1-r9
`git-lfs`	CVE-2026-33814	HIGH	3.7.1-r0	3.7.1-r12
`libcrypto3`	CVE-2025-15467	HIGH	3.6.0-r3	3.6.1-r0
`libcrypto3`	CVE-2025-69421	HIGH	3.6.0-r3	3.6.1-r0
`libssl3`	CVE-2025-15467	HIGH	3.6.0-r3	3.6.1-r0
`libssl3`	CVE-2025-69421	HIGH	3.6.0-r3	3.6.1-r0

`usr/local/bin/argocd`

Vulnerabilities (25)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`github.com/argoproj/argo-cd/v2`	CVE-2026-45738	HIGH	2.14.21
`github.com/expr-lang/expr`	CVE-2025-68156	HIGH	v1.17.0	1.17.7
`github.com/go-git/go-billy/v5`	CVE-2026-44973	HIGH	v5.6.2	5.9.0
`github.com/go-git/go-git/v5`	CVE-2026-45022	HIGH	v5.13.2	5.19.0
`github.com/go-jose/go-jose/v4`	CVE-2026-34986	HIGH	v4.0.2	4.1.4
`github.com/moby/spdystream`	CVE-2026-35469	HIGH	v0.4.0	0.5.1
`go.opentelemetry.io/otel/sdk`	CVE-2026-24051	HIGH	v1.33.0	1.40.0
`go.opentelemetry.io/otel/sdk`	CVE-2026-39883	HIGH	v1.33.0	1.43.0
`golang.org/x/oauth2`	CVE-2025-22868	HIGH	v0.24.0	0.27.0
`google.golang.org/grpc`	CVE-2026-33186	CRITICAL	v1.68.1	1.79.3
`stdlib`	CVE-2025-68121	CRITICAL	v1.24.6	1.24.13, 1.25.7, 1.26.0-rc.3
`stdlib`	CVE-2025-61726	HIGH	v1.24.6	1.24.12, 1.25.6
`stdlib`	CVE-2025-61729	HIGH	v1.24.6	1.24.11, 1.25.5
`stdlib`	CVE-2026-25679	HIGH	v1.24.6	1.25.8, 1.26.1
`stdlib`	CVE-2026-32280	HIGH	v1.24.6	1.25.9, 1.26.2
`stdlib`	CVE-2026-32281	HIGH	v1.24.6	1.25.9, 1.26.2
`stdlib`	CVE-2026-32283	HIGH	v1.24.6	1.25.9, 1.26.2
`stdlib`	CVE-2026-33811	HIGH	v1.24.6	1.25.10, 1.26.3
`stdlib`	CVE-2026-33814	HIGH	v1.24.6	1.25.10, 1.26.3
`stdlib`	CVE-2026-39820	HIGH	v1.24.6	1.25.10, 1.26.3
`stdlib`	CVE-2026-39823	HIGH	v1.24.6	1.25.10, 1.26.3
`stdlib`	CVE-2026-39825	HIGH	v1.24.6	1.25.10, 1.26.3
`stdlib`	CVE-2026-39826	HIGH	v1.24.6	1.25.10, 1.26.3
`stdlib`	CVE-2026-39836	HIGH	v1.24.6	1.25.10, 1.26.3
`stdlib`	CVE-2026-42499	HIGH	v1.24.6	1.25.10, 1.26.3

`usr/local/bin/gpg-wrapper.sh`

Vulnerabilities (16)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`stdlib`	CVE-2025-68121	CRITICAL	v1.21.13	1.24.13, 1.25.7, 1.26.0-rc.3
`stdlib`	CVE-2024-34156	HIGH	v1.21.13	1.22.7, 1.23.1
`stdlib`	CVE-2025-61726	HIGH	v1.21.13	1.24.12, 1.25.6
`stdlib`	CVE-2025-61729	HIGH	v1.21.13	1.24.11, 1.25.5
`stdlib`	CVE-2026-25679	HIGH	v1.21.13	1.25.8, 1.26.1
`stdlib`	CVE-2026-32280	HIGH	v1.21.13	1.25.9, 1.26.2
`stdlib`	CVE-2026-32281	HIGH	v1.21.13	1.25.9, 1.26.2
`stdlib`	CVE-2026-32283	HIGH	v1.21.13	1.25.9, 1.26.2
`stdlib`	CVE-2026-33811	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-33814	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39820	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39823	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39825	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39826	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39836	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-42499	HIGH	v1.21.13	1.25.10, 1.26.3

`usr/local/bin/helm`

Vulnerabilities (25)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`github.com/containerd/containerd`	CVE-2024-25621	HIGH	v1.7.23	1.7.29
`github.com/docker/cli`	CVE-2025-15558	HIGH	v25.0.1+incompatible	29.2.0
`github.com/docker/docker`	CVE-2026-34040	HIGH	v25.0.6+incompatible	29.3.1
`github.com/docker/docker`	CVE-2026-41567	HIGH	v25.0.6+incompatible
`github.com/docker/docker`	CVE-2026-42306	HIGH	v25.0.6+incompatible
`github.com/moby/spdystream`	CVE-2026-35469	HIGH	v0.4.0	0.5.1
`golang.org/x/crypto`	CVE-2024-45337	CRITICAL	v0.27.0	0.31.0
`golang.org/x/crypto`	CVE-2025-22869	HIGH	v0.27.0	0.35.0
`golang.org/x/oauth2`	CVE-2025-22868	HIGH	v0.21.0	0.27.0
`google.golang.org/grpc`	CVE-2026-33186	CRITICAL	v1.65.0	1.79.3
`stdlib`	CVE-2025-68121	CRITICAL	v1.22.7	1.24.13, 1.25.7, 1.26.0-rc.3
`stdlib`	CVE-2025-61726	HIGH	v1.22.7	1.24.12, 1.25.6
`stdlib`	CVE-2025-61729	HIGH	v1.22.7	1.24.11, 1.25.5
`stdlib`	CVE-2026-25679	HIGH	v1.22.7	1.25.8, 1.26.1
`stdlib`	CVE-2026-32280	HIGH	v1.22.7	1.25.9, 1.26.2
`stdlib`	CVE-2026-32281	HIGH	v1.22.7	1.25.9, 1.26.2
`stdlib`	CVE-2026-32283	HIGH	v1.22.7	1.25.9, 1.26.2
`stdlib`	CVE-2026-33811	HIGH	v1.22.7	1.25.10, 1.26.3
`stdlib`	CVE-2026-33814	HIGH	v1.22.7	1.25.10, 1.26.3
`stdlib`	CVE-2026-39820	HIGH	v1.22.7	1.25.10, 1.26.3
`stdlib`	CVE-2026-39823	HIGH	v1.22.7	1.25.10, 1.26.3
`stdlib`	CVE-2026-39825	HIGH	v1.22.7	1.25.10, 1.26.3
`stdlib`	CVE-2026-39826	HIGH	v1.22.7	1.25.10, 1.26.3
`stdlib`	CVE-2026-39836	HIGH	v1.22.7	1.25.10, 1.26.3
`stdlib`	CVE-2026-42499	HIGH	v1.22.7	1.25.10, 1.26.3

`usr/local/bin/kustomize`

Vulnerabilities (16)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`stdlib`	CVE-2025-68121	CRITICAL	v1.21.12	1.24.13, 1.25.7, 1.26.0-rc.3
`stdlib`	CVE-2024-34156	HIGH	v1.21.12	1.22.7, 1.23.1
`stdlib`	CVE-2025-61726	HIGH	v1.21.12	1.24.12, 1.25.6
`stdlib`	CVE-2025-61729	HIGH	v1.21.12	1.24.11, 1.25.5
`stdlib`	CVE-2026-25679	HIGH	v1.21.12	1.25.8, 1.26.1
`stdlib`	CVE-2026-32280	HIGH	v1.21.12	1.25.9, 1.26.2
`stdlib`	CVE-2026-32281	HIGH	v1.21.12	1.25.9, 1.26.2
`stdlib`	CVE-2026-32283	HIGH	v1.21.12	1.25.9, 1.26.2
`stdlib`	CVE-2026-33811	HIGH	v1.21.12	1.25.10, 1.26.3
`stdlib`	CVE-2026-33814	HIGH	v1.21.12	1.25.10, 1.26.3
`stdlib`	CVE-2026-39820	HIGH	v1.21.12	1.25.10, 1.26.3
`stdlib`	CVE-2026-39823	HIGH	v1.21.12	1.25.10, 1.26.3
`stdlib`	CVE-2026-39825	HIGH	v1.21.12	1.25.10, 1.26.3
`stdlib`	CVE-2026-39826	HIGH	v1.21.12	1.25.10, 1.26.3
`stdlib`	CVE-2026-39836	HIGH	v1.21.12	1.25.10, 1.26.3
`stdlib`	CVE-2026-42499	HIGH	v1.21.12	1.25.10, 1.26.3

Akuity v2.13.9-distroless vs Argo CD v2.13.9

Full list of open source Argo CD vulnerabilities in this release

`quay.io/akuity/argocd:v2.13.9-distroless`

Vulnerabilities (13)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`git-lfs`	CVE-2025-68121	CRITICAL	3.7.0-r1	3.7.1-r4
`git-lfs`	CVE-2025-61726	HIGH	3.7.0-r1	3.7.1-r3
`git-lfs`	CVE-2025-61731	HIGH	3.7.0-r1	3.7.1-r3
`git-lfs`	CVE-2025-61732	HIGH	3.7.0-r1	3.7.1-r4
`git-lfs`	CVE-2026-27140	HIGH	3.7.0-r1	3.7.1-r9
`git-lfs`	CVE-2026-32280	HIGH	3.7.0-r1	3.7.1-r9
`git-lfs`	CVE-2026-32281	HIGH	3.7.0-r1	3.7.1-r9
`git-lfs`	CVE-2026-32283	HIGH	3.7.0-r1	3.7.1-r9
`git-lfs`	CVE-2026-33814	HIGH	3.7.0-r1	3.7.1-r12
`libcrypto3`	CVE-2025-15467	HIGH	3.5.2-r1	3.6.1-r0
`libcrypto3`	CVE-2025-69421	HIGH	3.5.2-r1	3.6.1-r0
`libssl3`	CVE-2025-15467	HIGH	3.5.2-r1	3.6.1-r0
`libssl3`	CVE-2025-69421	HIGH	3.5.2-r1	3.6.1-r0

`usr/local/bin/argocd`

Vulnerabilities (30)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`github.com/argoproj/argo-cd/v2`	CVE-2025-59531	HIGH	2.13.9	2.14.20
`github.com/argoproj/argo-cd/v2`	CVE-2025-59537	HIGH	2.13.9	2.14.20
`github.com/argoproj/argo-cd/v2`	CVE-2025-59538	HIGH	2.13.9	2.14.20
`github.com/argoproj/argo-cd/v2`	CVE-2026-45738	HIGH	2.13.9
`github.com/expr-lang/expr`	CVE-2025-68156	HIGH	v1.17.2	1.17.7
`github.com/go-git/go-billy/v5`	CVE-2026-44973	HIGH	v5.6.1	5.9.0
`github.com/go-git/go-git/v5`	CVE-2026-45022	HIGH	v5.13.1	5.19.0
`github.com/go-jose/go-jose/v4`	CVE-2026-34986	HIGH	v4.0.5	4.1.4
`github.com/golang-jwt/jwt`	CVE-2025-30204	HIGH	v3.2.2+incompatible
`github.com/moby/spdystream`	CVE-2026-35469	HIGH	v0.4.0	0.5.1
`go.opentelemetry.io/otel/sdk`	CVE-2026-24051	HIGH	v1.30.0	1.40.0
`go.opentelemetry.io/otel/sdk`	CVE-2026-39883	HIGH	v1.30.0	1.43.0
`golang.org/x/crypto`	CVE-2025-22869	HIGH	v0.32.0	0.35.0
`golang.org/x/oauth2`	CVE-2025-22868	HIGH	v0.23.0	0.27.0
`google.golang.org/grpc`	CVE-2026-33186	CRITICAL	v1.66.2	1.79.3
`stdlib`	CVE-2025-68121	CRITICAL	v1.23.1	1.24.13, 1.25.7, 1.26.0-rc.3
`stdlib`	CVE-2025-61726	HIGH	v1.23.1	1.24.12, 1.25.6
`stdlib`	CVE-2025-61729	HIGH	v1.23.1	1.24.11, 1.25.5
`stdlib`	CVE-2026-25679	HIGH	v1.23.1	1.25.8, 1.26.1
`stdlib`	CVE-2026-32280	HIGH	v1.23.1	1.25.9, 1.26.2
`stdlib`	CVE-2026-32281	HIGH	v1.23.1	1.25.9, 1.26.2
`stdlib`	CVE-2026-32283	HIGH	v1.23.1	1.25.9, 1.26.2
`stdlib`	CVE-2026-33811	HIGH	v1.23.1	1.25.10, 1.26.3
`stdlib`	CVE-2026-33814	HIGH	v1.23.1	1.25.10, 1.26.3
`stdlib`	CVE-2026-39820	HIGH	v1.23.1	1.25.10, 1.26.3
`stdlib`	CVE-2026-39823	HIGH	v1.23.1	1.25.10, 1.26.3
`stdlib`	CVE-2026-39825	HIGH	v1.23.1	1.25.10, 1.26.3
`stdlib`	CVE-2026-39826	HIGH	v1.23.1	1.25.10, 1.26.3
`stdlib`	CVE-2026-39836	HIGH	v1.23.1	1.25.10, 1.26.3
`stdlib`	CVE-2026-42499	HIGH	v1.23.1	1.25.10, 1.26.3

`usr/local/bin/gpg-wrapper.sh`

Vulnerabilities (16)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`stdlib`	CVE-2025-68121	CRITICAL	v1.21.13	1.24.13, 1.25.7, 1.26.0-rc.3
`stdlib`	CVE-2024-34156	HIGH	v1.21.13	1.22.7, 1.23.1
`stdlib`	CVE-2025-61726	HIGH	v1.21.13	1.24.12, 1.25.6
`stdlib`	CVE-2025-61729	HIGH	v1.21.13	1.24.11, 1.25.5
`stdlib`	CVE-2026-25679	HIGH	v1.21.13	1.25.8, 1.26.1
`stdlib`	CVE-2026-32280	HIGH	v1.21.13	1.25.9, 1.26.2
`stdlib`	CVE-2026-32281	HIGH	v1.21.13	1.25.9, 1.26.2
`stdlib`	CVE-2026-32283	HIGH	v1.21.13	1.25.9, 1.26.2
`stdlib`	CVE-2026-33811	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-33814	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39820	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39823	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39825	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39826	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39836	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-42499	HIGH	v1.21.13	1.25.10, 1.26.3

`usr/local/bin/helm`

Vulnerabilities (26)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`github.com/containerd/containerd`	CVE-2024-25621	HIGH	v1.7.12	1.7.29
`github.com/docker/cli`	CVE-2025-15558	HIGH	v25.0.1+incompatible	29.2.0
`github.com/docker/docker`	CVE-2026-34040	HIGH	v25.0.6+incompatible	29.3.1
`github.com/docker/docker`	CVE-2026-41567	HIGH	v25.0.6+incompatible
`github.com/docker/docker`	CVE-2026-42306	HIGH	v25.0.6+incompatible
`github.com/moby/spdystream`	CVE-2026-35469	HIGH	v0.2.0	0.5.1
`golang.org/x/crypto`	CVE-2024-45337	CRITICAL	v0.25.0	0.31.0
`golang.org/x/crypto`	CVE-2025-22869	HIGH	v0.25.0	0.35.0
`golang.org/x/oauth2`	CVE-2025-22868	HIGH	v0.10.0	0.27.0
`google.golang.org/grpc`	CVE-2026-33186	CRITICAL	v1.58.3	1.79.3
`stdlib`	CVE-2025-68121	CRITICAL	v1.22.6	1.24.13, 1.25.7, 1.26.0-rc.3
`stdlib`	CVE-2024-34156	HIGH	v1.22.6	1.22.7, 1.23.1
`stdlib`	CVE-2025-61726	HIGH	v1.22.6	1.24.12, 1.25.6
`stdlib`	CVE-2025-61729	HIGH	v1.22.6	1.24.11, 1.25.5
`stdlib`	CVE-2026-25679	HIGH	v1.22.6	1.25.8, 1.26.1
`stdlib`	CVE-2026-32280	HIGH	v1.22.6	1.25.9, 1.26.2
`stdlib`	CVE-2026-32281	HIGH	v1.22.6	1.25.9, 1.26.2
`stdlib`	CVE-2026-32283	HIGH	v1.22.6	1.25.9, 1.26.2
`stdlib`	CVE-2026-33811	HIGH	v1.22.6	1.25.10, 1.26.3
`stdlib`	CVE-2026-33814	HIGH	v1.22.6	1.25.10, 1.26.3
`stdlib`	CVE-2026-39820	HIGH	v1.22.6	1.25.10, 1.26.3
`stdlib`	CVE-2026-39823	HIGH	v1.22.6	1.25.10, 1.26.3
`stdlib`	CVE-2026-39825	HIGH	v1.22.6	1.25.10, 1.26.3
`stdlib`	CVE-2026-39826	HIGH	v1.22.6	1.25.10, 1.26.3
`stdlib`	CVE-2026-39836	HIGH	v1.22.6	1.25.10, 1.26.3
`stdlib`	CVE-2026-42499	HIGH	v1.22.6	1.25.10, 1.26.3

`usr/local/bin/kustomize`

Vulnerabilities (16)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`stdlib`	CVE-2025-68121	CRITICAL	v1.21.12	1.24.13, 1.25.7, 1.26.0-rc.3
`stdlib`	CVE-2024-34156	HIGH	v1.21.12	1.22.7, 1.23.1
`stdlib`	CVE-2025-61726	HIGH	v1.21.12	1.24.12, 1.25.6
`stdlib`	CVE-2025-61729	HIGH	v1.21.12	1.24.11, 1.25.5
`stdlib`	CVE-2026-25679	HIGH	v1.21.12	1.25.8, 1.26.1
`stdlib`	CVE-2026-32280	HIGH	v1.21.12	1.25.9, 1.26.2
`stdlib`	CVE-2026-32281	HIGH	v1.21.12	1.25.9, 1.26.2
`stdlib`	CVE-2026-32283	HIGH	v1.21.12	1.25.9, 1.26.2
`stdlib`	CVE-2026-33811	HIGH	v1.21.12	1.25.10, 1.26.3
`stdlib`	CVE-2026-33814	HIGH	v1.21.12	1.25.10, 1.26.3
`stdlib`	CVE-2026-39820	HIGH	v1.21.12	1.25.10, 1.26.3
`stdlib`	CVE-2026-39823	HIGH	v1.21.12	1.25.10, 1.26.3
`stdlib`	CVE-2026-39825	HIGH	v1.21.12	1.25.10, 1.26.3
`stdlib`	CVE-2026-39826	HIGH	v1.21.12	1.25.10, 1.26.3
`stdlib`	CVE-2026-39836	HIGH	v1.21.12	1.25.10, 1.26.3
`stdlib`	CVE-2026-42499	HIGH	v1.21.12	1.25.10, 1.26.3

Akuity v2.12.13-distroless vs Argo CD v2.12.13

Full list of open source Argo CD vulnerabilities in this release

`quay.io/akuity/argocd:v2.12.13-distroless`

Vulnerabilities (13)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`git-lfs`	CVE-2025-68121	CRITICAL	3.7.0-r1	3.7.1-r4
`git-lfs`	CVE-2025-61726	HIGH	3.7.0-r1	3.7.1-r3
`git-lfs`	CVE-2025-61731	HIGH	3.7.0-r1	3.7.1-r3
`git-lfs`	CVE-2025-61732	HIGH	3.7.0-r1	3.7.1-r4
`git-lfs`	CVE-2026-27140	HIGH	3.7.0-r1	3.7.1-r9
`git-lfs`	CVE-2026-32280	HIGH	3.7.0-r1	3.7.1-r9
`git-lfs`	CVE-2026-32281	HIGH	3.7.0-r1	3.7.1-r9
`git-lfs`	CVE-2026-32283	HIGH	3.7.0-r1	3.7.1-r9
`git-lfs`	CVE-2026-33814	HIGH	3.7.0-r1	3.7.1-r12
`libcrypto3`	CVE-2025-15467	HIGH	3.5.2-r1	3.6.1-r0
`libcrypto3`	CVE-2025-69421	HIGH	3.5.2-r1	3.6.1-r0
`libssl3`	CVE-2025-15467	HIGH	3.5.2-r1	3.6.1-r0
`libssl3`	CVE-2025-69421	HIGH	3.5.2-r1	3.6.1-r0

`usr/local/bin/argocd`

Vulnerabilities (34)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`github.com/argoproj/argo-cd/v2`	CVE-2025-47933	CRITICAL	2.12.13	2.13.8, 2.14.13
`github.com/argoproj/argo-cd/v2`	CVE-2025-59531	HIGH	2.12.13	2.14.20
`github.com/argoproj/argo-cd/v2`	CVE-2025-59537	HIGH	2.12.13	2.14.20
`github.com/argoproj/argo-cd/v2`	CVE-2025-59538	HIGH	2.12.13	2.14.20
`github.com/argoproj/argo-cd/v2`	CVE-2026-45738	HIGH	2.12.13
`github.com/expr-lang/expr`	CVE-2025-68156	HIGH	v1.17.2	1.17.7
`github.com/go-git/go-billy/v5`	CVE-2026-44973	HIGH	v5.6.1	5.9.0
`github.com/go-git/go-git/v5`	CVE-2026-45022	HIGH	v5.13.1	5.19.0
`github.com/go-jose/go-jose/v3`	CVE-2026-34986	HIGH	v3.0.3	3.0.5
`github.com/golang-jwt/jwt`	CVE-2025-30204	HIGH	v3.2.2+incompatible
`github.com/moby/spdystream`	CVE-2026-35469	HIGH	v0.2.0	0.5.1
`go.opentelemetry.io/otel/sdk`	CVE-2026-24051	HIGH	v1.21.0	1.40.0
`go.opentelemetry.io/otel/sdk`	CVE-2026-39883	HIGH	v1.21.0	1.43.0
`golang.org/x/crypto`	CVE-2025-22869	HIGH	v0.31.0	0.35.0
`golang.org/x/oauth2`	CVE-2025-22868	HIGH	v0.12.0	0.27.0
`google.golang.org/grpc`	CVE-2026-33186	CRITICAL	v1.59.0	1.79.3
`k8s.io/kubernetes`	CVE-2024-10220	HIGH	v1.29.6	1.28.12, 1.29.7, 1.30.3
`k8s.io/kubernetes`	CVE-2024-5321	HIGH	v1.29.6	1.27.16, 1.28.12, 1.29.7, 1.30.3
`stdlib`	CVE-2025-68121	CRITICAL	v1.22.4	1.24.13, 1.25.7, 1.26.0-rc.3
`stdlib`	CVE-2024-34156	HIGH	v1.22.4	1.22.7, 1.23.1
`stdlib`	CVE-2025-61726	HIGH	v1.22.4	1.24.12, 1.25.6
`stdlib`	CVE-2025-61729	HIGH	v1.22.4	1.24.11, 1.25.5
`stdlib`	CVE-2026-25679	HIGH	v1.22.4	1.25.8, 1.26.1
`stdlib`	CVE-2026-32280	HIGH	v1.22.4	1.25.9, 1.26.2
`stdlib`	CVE-2026-32281	HIGH	v1.22.4	1.25.9, 1.26.2
`stdlib`	CVE-2026-32283	HIGH	v1.22.4	1.25.9, 1.26.2
`stdlib`	CVE-2026-33811	HIGH	v1.22.4	1.25.10, 1.26.3
`stdlib`	CVE-2026-33814	HIGH	v1.22.4	1.25.10, 1.26.3
`stdlib`	CVE-2026-39820	HIGH	v1.22.4	1.25.10, 1.26.3
`stdlib`	CVE-2026-39823	HIGH	v1.22.4	1.25.10, 1.26.3
`stdlib`	CVE-2026-39825	HIGH	v1.22.4	1.25.10, 1.26.3
`stdlib`	CVE-2026-39826	HIGH	v1.22.4	1.25.10, 1.26.3
`stdlib`	CVE-2026-39836	HIGH	v1.22.4	1.25.10, 1.26.3
`stdlib`	CVE-2026-42499	HIGH	v1.22.4	1.25.10, 1.26.3

`usr/local/bin/gpg-wrapper.sh`

Vulnerabilities (16)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`stdlib`	CVE-2025-68121	CRITICAL	v1.21.13	1.24.13, 1.25.7, 1.26.0-rc.3
`stdlib`	CVE-2024-34156	HIGH	v1.21.13	1.22.7, 1.23.1
`stdlib`	CVE-2025-61726	HIGH	v1.21.13	1.24.12, 1.25.6
`stdlib`	CVE-2025-61729	HIGH	v1.21.13	1.24.11, 1.25.5
`stdlib`	CVE-2026-25679	HIGH	v1.21.13	1.25.8, 1.26.1
`stdlib`	CVE-2026-32280	HIGH	v1.21.13	1.25.9, 1.26.2
`stdlib`	CVE-2026-32281	HIGH	v1.21.13	1.25.9, 1.26.2
`stdlib`	CVE-2026-32283	HIGH	v1.21.13	1.25.9, 1.26.2
`stdlib`	CVE-2026-33811	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-33814	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39820	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39823	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39825	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39826	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-39836	HIGH	v1.21.13	1.25.10, 1.26.3
`stdlib`	CVE-2026-42499	HIGH	v1.21.13	1.25.10, 1.26.3

`usr/local/bin/helm`

Vulnerabilities (27)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`github.com/containerd/containerd`	CVE-2024-25621	HIGH	v1.7.12	1.7.29
`github.com/docker/cli`	CVE-2025-15558	HIGH	v25.0.1+incompatible	29.2.0
`github.com/docker/docker`	CVE-2024-41110	CRITICAL	v25.0.5+incompatible	23.0.15, 26.1.5, 27.1.1, 25.0.6
`github.com/docker/docker`	CVE-2026-34040	HIGH	v25.0.5+incompatible	29.3.1
`github.com/docker/docker`	CVE-2026-41567	HIGH	v25.0.5+incompatible
`github.com/docker/docker`	CVE-2026-42306	HIGH	v25.0.5+incompatible
`github.com/moby/spdystream`	CVE-2026-35469	HIGH	v0.2.0	0.5.1
`golang.org/x/crypto`	CVE-2024-45337	CRITICAL	v0.21.0	0.31.0
`golang.org/x/crypto`	CVE-2025-22869	HIGH	v0.21.0	0.35.0
`golang.org/x/oauth2`	CVE-2025-22868	HIGH	v0.10.0	0.27.0
`google.golang.org/grpc`	CVE-2026-33186	CRITICAL	v1.58.3	1.79.3
`stdlib`	CVE-2025-68121	CRITICAL	v1.22.4	1.24.13, 1.25.7, 1.26.0-rc.3
`stdlib`	CVE-2024-34156	HIGH	v1.22.4	1.22.7, 1.23.1
`stdlib`	CVE-2025-61726	HIGH	v1.22.4	1.24.12, 1.25.6
`stdlib`	CVE-2025-61729	HIGH	v1.22.4	1.24.11, 1.25.5
`stdlib`	CVE-2026-25679	HIGH	v1.22.4	1.25.8, 1.26.1
`stdlib`	CVE-2026-32280	HIGH	v1.22.4	1.25.9, 1.26.2
`stdlib`	CVE-2026-32281	HIGH	v1.22.4	1.25.9, 1.26.2
`stdlib`	CVE-2026-32283	HIGH	v1.22.4	1.25.9, 1.26.2
`stdlib`	CVE-2026-33811	HIGH	v1.22.4	1.25.10, 1.26.3
`stdlib`	CVE-2026-33814	HIGH	v1.22.4	1.25.10, 1.26.3
`stdlib`	CVE-2026-39820	HIGH	v1.22.4	1.25.10, 1.26.3
`stdlib`	CVE-2026-39823	HIGH	v1.22.4	1.25.10, 1.26.3
`stdlib`	CVE-2026-39825	HIGH	v1.22.4	1.25.10, 1.26.3
`stdlib`	CVE-2026-39826	HIGH	v1.22.4	1.25.10, 1.26.3
`stdlib`	CVE-2026-39836	HIGH	v1.22.4	1.25.10, 1.26.3
`stdlib`	CVE-2026-42499	HIGH	v1.22.4	1.25.10, 1.26.3

`usr/local/bin/kustomize`

Vulnerabilities (17)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`stdlib`	CVE-2024-24790	CRITICAL	v1.21.10	1.21.11, 1.22.4
`stdlib`	CVE-2025-68121	CRITICAL	v1.21.10	1.24.13, 1.25.7, 1.26.0-rc.3
`stdlib`	CVE-2024-34156	HIGH	v1.21.10	1.22.7, 1.23.1
`stdlib`	CVE-2025-61726	HIGH	v1.21.10	1.24.12, 1.25.6
`stdlib`	CVE-2025-61729	HIGH	v1.21.10	1.24.11, 1.25.5
`stdlib`	CVE-2026-25679	HIGH	v1.21.10	1.25.8, 1.26.1
`stdlib`	CVE-2026-32280	HIGH	v1.21.10	1.25.9, 1.26.2
`stdlib`	CVE-2026-32281	HIGH	v1.21.10	1.25.9, 1.26.2
`stdlib`	CVE-2026-32283	HIGH	v1.21.10	1.25.9, 1.26.2
`stdlib`	CVE-2026-33811	HIGH	v1.21.10	1.25.10, 1.26.3
`stdlib`	CVE-2026-33814	HIGH	v1.21.10	1.25.10, 1.26.3
`stdlib`	CVE-2026-39820	HIGH	v1.21.10	1.25.10, 1.26.3
`stdlib`	CVE-2026-39823	HIGH	v1.21.10	1.25.10, 1.26.3
`stdlib`	CVE-2026-39825	HIGH	v1.21.10	1.25.10, 1.26.3
`stdlib`	CVE-2026-39826	HIGH	v1.21.10	1.25.10, 1.26.3
`stdlib`	CVE-2026-39836	HIGH	v1.21.10	1.25.10, 1.26.3
`stdlib`	CVE-2026-42499	HIGH	v1.21.10	1.25.10, 1.26.3

Security Scan 2026-06-01​

Akuity v2.14.21-distroless vs Argo CD v2.14.21​

quay.io/akuity/argocd:v2.14.21-distroless

Vulnerabilities (13)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/argocd

Vulnerabilities (25)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/gpg-wrapper.sh

Vulnerabilities (16)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/helm

Vulnerabilities (25)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/kustomize

Vulnerabilities (16)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Akuity v2.13.9-distroless vs Argo CD v2.13.9​

quay.io/akuity/argocd:v2.13.9-distroless

Vulnerabilities (13)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/argocd

Vulnerabilities (30)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/gpg-wrapper.sh

Vulnerabilities (16)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/helm

Vulnerabilities (26)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/kustomize

Vulnerabilities (16)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Akuity v2.12.13-distroless vs Argo CD v2.12.13​

quay.io/akuity/argocd:v2.12.13-distroless

Vulnerabilities (13)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/argocd

Vulnerabilities (34)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/gpg-wrapper.sh

Vulnerabilities (16)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/helm

Vulnerabilities (27)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/kustomize

Vulnerabilities (17)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Security Scan 2026-06-01

Akuity v2.14.21-distroless vs Argo CD v2.14.21

`quay.io/akuity/argocd:v2.14.21-distroless`

`usr/local/bin/argocd`

`usr/local/bin/gpg-wrapper.sh`

`usr/local/bin/helm`

`usr/local/bin/kustomize`

Akuity v2.13.9-distroless vs Argo CD v2.13.9

`quay.io/akuity/argocd:v2.13.9-distroless`

`usr/local/bin/argocd`

`usr/local/bin/gpg-wrapper.sh`

`usr/local/bin/helm`

`usr/local/bin/kustomize`

Akuity v2.12.13-distroless vs Argo CD v2.12.13

`quay.io/akuity/argocd:v2.12.13-distroless`

`usr/local/bin/argocd`

`usr/local/bin/gpg-wrapper.sh`

`usr/local/bin/helm`

`usr/local/bin/kustomize`