website/content/en/docs/reference/issues-security/official-cve-feed.md

---
title: Official CVE Feed
weight: 25
outputs:
  - json
  - html 
layout: cve-feed
---

{{< feature-state for_k8s_version="v1.25" state="alpha" >}}

This is a community maintained list of official CVEs announced by
the Kubernetes Security Response Committee. See
[Kubernetes Security and Disclosure Information](/docs/reference/issues-security/security/)
for more details.

The Kubernetes project publishes a programmatically accessible
[JSON Feed](/docs/reference/issues-security/official-cve-feed/index.json) of 
published security issues. You can access it by executing the following command:

{{< comment >}}
`replace` is used to bypass known issue with rendering ">"
: https://github.com/gohugoio/hugo/issues/7229 in JSON layouts template
`layouts/_default/cve-feed.json`
{{< /comment >}}

```shell
curl -Lv https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json
```

{{< cve-feed >}}

<!-- | CVE ID      | Issue Summary | CVE GitHub Issue URL |
| ----------- | ----------- | --------- |
| [CVE-2021-25741](https://www.cve.org/CVERecord?id=CVE-2021-25741)      | Symlink Exchange Can Allow Host Filesystem Access | [#104980](https://github.com/kubernetes/kubernetes/issues/104980) |
| [CVE-2020-8565](https://www.cve.org/CVERecord?id=CVE-2020-8565)      | Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 | [#95623](https://github.com/kubernetes/kubernetes/issues/95623) | -->

This feed is auto-refreshing with a noticeable but small lag (minutes to hours)
from the time a CVE is announced to the time it is accessible in this feed.

The source of truth of this feed is a set of GitHub Issues, filtered by a controlled and
restricted label `official-cve-feed`. The raw data is stored in a Google Cloud
Bucket which is writable only by a small number of trusted members of the
Community.