CVE-2026-32737 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-32737 PUBLISHED CVSS 7.900000095367432 HIGH

Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from the "hardened" namespace to any Pod out of it. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Removing the `inter-ns` NetworkPolicy patches the vulnerability in version 0.2.1. If updates are not possible in production environments, manually delete `inter-ns` and update as soon as possible. Given one's context, delete the failing network policy that should be prefixed by `inter-ns-` in the target namespace.

EPSS 0.02% · 5.4th percentile

Risk Scores

CVSS v4.0

7.900000095367432

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

EPSS Score

0.02%

5.4th percentile

Affected Products

Vendor	Product	Versions
ctfer-io	romeo	< 0.2.1, 0, < 0.2.1
github.com	ctfer-io/romeo/environment/deploy	0, 0

Timeline

Mar 16, 2026 CVE Published
Mar 19, 2026 CVE Updated
Mar 19, 2026 EPSS Score
Mar 20, 2026 EPSS Score
Mar 21, 2026 EPSS Score
Mar 22, 2026 EPSS Score
Mar 23, 2026 EPSS Score
Mar 24, 2026 EPSS Score
Mar 24, 2026 Security Advisory
Mar 25, 2026 EPSS Score

References

Open in Interactive Console →