The Wire · Showcase
CONSUL-K8S PATCHES TWO CRITICAL TEMPLATE INJECTION VULNERABILITIES
By RepoJournal · Filed · About HashiCorp
HashiCorp shipped emergency security upgrades to Jinja2 and pymdown-extensions across Consul Kubernetes, closing HTML attribute injection and Markdown processing vulnerabilities that could enable XSS attacks.
Two high-severity CVEs landed simultaneously in consul-k8s [1][2]. Jinja2 3.1.2 accepted malicious keys in the xmlattr filter, allowing attribute injection if user-controlled data reaches template rendering [3]. The pymdown-extensions flaw compounds the risk by processing untrusted Markdown through vulnerable filters [4]. Both fixes are in the gateway configuration layer, which means any Consul on Kubernetes deployment exposing user input through docs or templating is exposed. Patch immediately to 3.1.6 and 10.0 respectively. In parallel, actions-go-build shipped v1.1.2 [5] to address GitHub's Node.js 20 deprecation warnings and stay compatible with latest runner environments [6]. The update is automatic for consumers pinning @v1, so no deployment friction there. Pandora's Azure spec submodule bump [13] continues quiet API surface harmonization work, while web-unified-docs syncs continue across the public/private repos [7][8][9][10][11]. Nomad Autoscaler's scheduler fix [12] excludes ineligible nodes from capacity calculations, preventing phantom capacity from skewing autoscaling decisions.
Action items
- → Upgrade Jinja2 to 3.1.6 and pymdown-extensions to 10.0 in all consul-k8s deployments immediately hashicorp/consul-k8s [immediate]
- → Review any consul-k8s documentation or API specs exposed to user input for XSS surface hashicorp/consul-k8s [immediate]
- → Update actions-go-build to v1.1.2 in CI pipelines if pinning to v1 hashicorp/actions-go-build [plan]
References
- [1] security: upgrade Jinja2 3.1.2 -> 3.1.6 to fix GHSA-h5c8-rqwp-cp95 (CVE-2024-22195) (#5285) hashicorp/consul-k8s
- [2] security: upgrade pymdown-extensions 9.11 -> 10.0 to fix GHSA-jh85-wwv9-24hv (CVE-2023-32309) (#5291) hashicorp/consul-k8s
- [3] security: upgrade Jinja2 3.1.2 -> 3.1.6 to fix GHSA-h5c8-rqwp-cp95 (CVE-2024-22195) ↗ hashicorp/consul-k8s
- [4] security: upgrade pymdown-extensions 9.11 -> 10.0 to fix GHSA-jh85-wwv9-24hv (CVE-2023-32309) ↗ hashicorp/consul-k8s
- [5] v1.1.2 ↗ hashicorp/actions-go-build
- [6] SMRE-1068: Publish updated GitHub Actions versions to address Node.js 20 deprecation - v1.1.2 ↗ hashicorp/actions-go-build
- [7] Repo sync ↗ hashicorp/web-unified-docs
- [8] Repo sync ↗ hashicorp/web-unified-docs
- [9] Repo sync ↗ hashicorp/web-unified-docs
- [10] add import docs to tfe nav (#2382) hashicorp/web-unified-docs
- [11] TF-37107 Add TFE deprecation notice for Redis 6.2 and 6.4 (#2334) hashicorp/web-unified-docs
- [12] fix: exclude ineligible nodes from pool capacity calculations (#1286) hashicorp/nomad-autoscaler
- [13] build(deps): bump submodules/rest-api-specs from `fa74a24` to `ca1b73e` ↗ hashicorp/pandora
FAQ
- What changed in HashiCorp on May 7, 2026?
- HashiCorp shipped emergency security upgrades to Jinja2 and pymdown-extensions across Consul Kubernetes, closing HTML attribute injection and Markdown processing vulnerabilities that could enable XSS attacks.
- What should HashiCorp teams do about it?
- Upgrade Jinja2 to 3.1.6 and pymdown-extensions to 10.0 in all consul-k8s deployments immediately • Review any consul-k8s documentation or API specs exposed to user input for XSS surface • Update actions-go-build to v1.1.2 in CI pipelines if pinning to v1
- Which HashiCorp repositories shipped on May 7, 2026?
- hashicorp/consul-k8s, hashicorp/actions-go-build, hashicorp/web-unified-docs, hashicorp/nomad-autoscaler, hashicorp/pandora