SCA: security update for github.com/inspektor-gadget/inspektor-gadget (GHSA-34r5-6j7w-235f)

medium Tenable Cloud Security Plugin ID 440752

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes
clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to
the terminal without any sanitization of control characters or ANSI escape sequences. Therefore, a
maliciously forged – partially or completely – event payload, coming from an observed container, might
inject the escape sequences into the terminal of ig operators, with various effects. The columns output
mode is the default when running ig run interactively. (CVE-2026-25996)

Solution

Update the github.com/inspektor-gadget/inspektor-gadget library and its related packages to version 0.49.1 or later.

See Also

https://github.com/advisories/GHSA-34r5-6j7w-235f

Plugin Details

Severity: Medium

ID: 440752

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 4/23/2026

Updated: 4/23/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-25996

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 5.5

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/22/2026

Vulnerability Publication Date: 2/12/2026

Reference Information

CVE: CVE-2026-25996

cwe: CWE-150