Loading...
Loading...
Terraform, Vault, Consul, Nomad
Generated Jul 6, 2026Cohort: 9 vendors with ≥10 CVE advisoriesMethodology ↗
Total all-time: 20 CVEs with HashiCorp Security advisories. Source: NVD CVE records joined with vendor advisory publish dates.
60.0% of HashiCorp Security's 20 CVEs are CRITICAL or HIGH severity. Industry median: 42.7%. Source: NVD CVSS v3.1.
0 of 20 HashiCorp Security CVEs in the last 3 years are on CISA's Known Exploited Vulnerabilities catalog (0.0%). Industry median: 1.1%.
Source: CISA Known Exploited Vulnerabilities catalog (current snapshot). KEV listing means CISA observed active in-the-wild exploitation.
Insufficient data to publish a reliable patch-velocity metric for HashiCorp Security(sample size: 1, minimum required: 10).
Most-frequently mapped CWEs across HashiCorp Security's last 3 years of CVE disclosures. Source: NVD — CWE mapping per MITRE taxonomy.
Latest advisories published by HashiCorp Security, straight from the vendor's own feed. Severity labels are the vendor's — scales differ across vendors.
HCSEC-2026-16 - Vault Audit Device Plugin Directory Guard Bypass via Legacy Path Option
HCSEC-2026-15 - Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution
HCSEC-2026-14 - Nomad arbitrary file read/write on client host through symlink attack
HCSEC-2026-13 - Nomad's exec2 task driver vulnerable to arbitrary file read/write on client host through symlink attack
HCSEC-2026-12 - Consul-template vulnerable to sandbox path bypass in file helper through symlink attack
HCSEC-2026-11 - Boundary Workers Vulnerable to Denial of Service During TLS Handshake
HCSEC-2026-10 - Updates to HashiCorp subprocessors
HCSEC-2026-09 - Remediation and Improved Secret Management for GitHub Webhook Secret Exposure
Full advisory archive: /pulse/vendor-advisories →
Snapshot generated Jul 6, 2026. Industry medians refresh every 6 hours; raw vendor counts are queried live on each request.
Spot a factual error in this report?
Email [email protected] with the specific number you're disputing and a link to the authoritative source. We review every report and publish corrections on the methodology page.