PatchSiren

tilt-dev CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL tilt-dev CVE published 2026-07-10

CVE-2026-55884

CVE-2026-55884 is a critical vulnerability in Tilt, a tool for defining dev environments as code for microservice apps on Kubernetes. The vulnerability allows unauthenticated network callers to trigger developer-defined resources, tamper with Tiltfile arguments, read full engine state including the session token, and invoke apiserver resources when bound to a non-loopback address. This issue affects Tilt [truncated]

HIGH tilt-dev CVE published 2026-07-10

CVE-2026-55883

CVE-2026-55883 is a high-severity vulnerability affecting Tilt, a tool for defining dev environments as code for microservice apps on Kubernetes. The issue exists in versions 0.24.0 through 0.37.3, where the Tilt HUD WebSocket at /ws/view, gated by a CSRF token, can be exploited by an attacker who can reach the listener when the HUD is network-exposed. This allows the attacker to open the HUD WebSocket an [truncated]

HIGH tilt-dev CVE published 2026-07-10

CVE-2026-55882

CVE-2026-55882 is a vulnerability in Tilt dev environments as code for microservice apps on Kubernetes. From version 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memory through /debug/pprof/heap and /debug/pprof/goroutine, including session [truncated]