CVE-2026-32613

Daily digests

Spinnaker's expression parsing in the Echo pipeline triggers component doesn't restrict context handling, which lets an attacker inject expressions that execute arbitrary code on the server. No authentication bypass is needed if the attacker can submit or modify a pipeline definition. CVSS 10.0, not yet exploited in the wild, and EPSS is low (0.00057), but the impact is full remote code execution.

• Daily Digest · Apr 21, 2026

  4 CVSS 10.0s today, Spinnaker RCE tops the list