Salt vulnerabilities: known CVEs & security history
SaltStack · Configuration management · 52 tracked CVEs · 3 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all Salt release lines — 52 in total, with 3 actively exploited in the wild. A CVE here doesn't mean your version is affected — check Salt's current status and the safe version to run.
Known Salt CVEs
Actively-exploited and most-severe first. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2020-16846⚡ exploited | critical | 9.8 | 100% | 2020 |
| CVE-2020-11651⚡ exploited | critical | 9.8 | 96% | 2020 |
| CVE-2020-11652⚡ exploited | medium | 6.5 | 86% | 2020 |
| CVE-2021-33226 | critical | 9.8 | 2% | 2023 |
| CVE-2021-25315 | critical | 9.8 | 2% | 2021 |
| CVE-2021-3197 | critical | 9.8 | 72% | 2021 |
| CVE-2021-3148 | critical | 9.8 | 8% | 2021 |
| CVE-2021-25283 | critical | 9.8 | 10% | 2021 |
| CVE-2021-25281 | critical | 9.8 | 73% | 2021 |
| CVE-2020-25592 | critical | 9.8 | 57% | 2020 |
| CVE-2019-17361 | critical | 9.8 | 15% | 2020 |
| CVE-2018-15751 | critical | 9.8 | 5% | 2018 |
| CVE-2017-7893 | critical | 9.8 | 1% | 2018 |
| CVE-2017-14695 | critical | 9.8 | 3% | 2017 |
| CVE-2017-12791 | critical | 9.8 | 5% | 2017 |
| CVE-2024-38824 | critical | 9.6 | 1% | 2025 |
| CVE-2021-3144 | critical | 9.1 | 5% | 2021 |
| CVE-2021-25282 | critical | 9.1 | 92% | 2021 |
| CVE-2016-9639 | critical | 9.1 | 3% | 2017 |
| CVE-2013-6617 | high | 10 | 3% | 2013 |
| CVE-2013-4437 | high | 10 | 1% | 2013 |
| CVE-2013-4436 | high | 9.3 | 2% | 2013 |
| CVE-2022-22967 | high | 8.8 | 2% | 2022 |
| CVE-2022-22941 | high | 8.8 | 1% | 2022 |
| CVE-2022-22936 | high | 8.8 | 1% | 2022 |
| CVE-2022-22934 | high | 8.8 | 1% | 2022 |
| CVE-2017-5200 | high | 8.8 | 3% | 2017 |
| CVE-2017-5192 | high | 8.8 | 2% | 2017 |
| CVE-2016-1866 | high | 8.1 | 2% | 2016 |
| CVE-2021-31607 | high | 7.8 | 4% | 2021 |
| CVE-2020-28243 | high | 7.8 | 4% | 2021 |
| CVE-2017-8109 | high | 7.8 | 0% | 2017 |
| CVE-2021-21996 | high | 7.5 | 3% | 2021 |
| CVE-2017-14696 | high | 7.5 | 3% | 2017 |
| CVE-2015-4017 | high | 7.5 | 1% | 2017 |
| CVE-2013-4438 | high | 7.5 | 2% | 2013 |
| CVE-2020-35662 | high | 7.4 | 3% | 2021 |
| CVE-2014-3563 | high | 7.2 | 0% | 2014 |
| CVE-2021-22004 | medium | 6.4 | 0% | 2021 |
| CVE-2013-4435 | medium | 6 | 2% | 2013 |
| CVE-2020-28972 | medium | 5.9 | 3% | 2021 |
| CVE-2016-3176 | medium | 5.6 | 1% | 2017 |
| CVE-2020-17490 | medium | 5.5 | 0% | 2020 |
| CVE-2023-20897 | medium | 5.3 | 1% | 2023 |
| CVE-2018-15750 | medium | 5.3 | 4% | 2018 |
| CVE-2015-1839 | medium | 5.3 | 0% | 2017 |
| CVE-2015-1838 | medium | 5.3 | 0% | 2017 |
| CVE-2013-4439 | medium | 4.9 | 1% | 2013 |
| CVE-2021-25284 | medium | 4.4 | 1% | 2021 |
| CVE-2023-20898 | medium | 4.2 | 0% | 2023 |
| CVE-2022-22935 | low | 3.7 | 2% | 2022 |
| CVE-2015-8034 | low | 3.3 | 0% | 2017 |
Is my Salt version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your Salt version → · Monitor Salt for new CVEs →
Salt vulnerabilities — frequently asked
How many known vulnerabilities does Salt have?
IsItPatched tracks 52 CVEs for Salt, 3 of which are actively exploited (CISA KEV). 18 are critical-severity and 19 high-severity. These span every release line — what matters is whether the version you run is affected.
Does Salt have any actively-exploited vulnerabilities?
Yes — 3 Salt CVEs are in CISA's Known Exploited Vulnerabilities catalog, meaning they are confirmed exploited in the wild. Patch these as a priority.
What is the most severe Salt vulnerability?
Among tracked issues, CVE-2020-16846 (CRITICAL, CVSS 9.8), which is actively exploited, ranks highest — a OS command injection weakness.
Is Salt safe to use?
It depends on the version. The latest supported Salt release clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: Salt security status · Salt end-of-life · actively-exploited CVEs. Always verify against SaltStack's advisories — see our disclaimer.