1229 matches found
PT-2026-34844
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's alt text into an HTML alt="..."...
AnythingLLM 跨站脚本漏洞
AnythingLLM is an integrated AI application developed by Mintplex. Versions of AnythingLLM prior to 1.12.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from the markdown renderer in the chart component not encoding the alt text as HTML, which could lead to storage-ty...
SUSE SLES15 Security Update : helm (SUSE-SU-2026:1483-1)
The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1483-1 advisory. - CVE-2025-55199: crafted JSON Schema can lead to out of memory OOM termination bsc1248093. - CVE-2026-35206: files written to...
CVE-2026-29955
The /registercrd endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses subprocess.Popen with shell=True parameter to execute shell commands, and the user-supplied chartName parameter is directly concatenated into the command string...
BIT-HELM-2026-35206 Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Helm is a package manager for Charts for Kubernetes. In Helm versions =3.20.1 and =4.1.3, a specially crafted Chart will cause helm pull --untar chart URL | repo/chartname to write the Chart's contents to the immediate output directory as defaulted to the current working directory; or as given by...
CVE-2026-29955
The /registercrd endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses subprocess.Popen with shell=True parameter to execute shell commands, and the user-supplied chartName parameter is directly concatenated into the command string...
CVE-2026-29955
The /registercrd endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses subprocess.Popen with shell=True parameter to execute shell commands, and the user-supplied chartName parameter is directly concatenated into the command string...
CVE-2026-29955
CVE-2026-29955 affects KubePlus 4.14 (kubeconfiggenerator) /registercrd. The root cause is command injection via an unsanitized chartName that is directly concatenated into a shell command executed with subprocess.Popen(shell=True). This can allow arbitrary shell commands to be executed if a mali...
CVE-2026-29955
The /registercrd endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses subprocess.Popen with shell=True parameter to execute shell commands, and the user-supplied chartName parameter is directly concatenated into the command string...
KubePlus 安全漏洞
KubePlus is an open-source Kubernetes multi-tenant application management platform developed by cloud-ark. Version 4.14 of KubePlus contains a security vulnerability. This vulnerability stems from the /registercrd endpoint in the kubeconfiggenerator component, which fails to clean up or validate...
PT-2026-32490
Name of the Vulnerable Software and Affected Versions KubePlus version 4.14 Description The '/registercrd' endpoint in the kubeconfiggenerator component is susceptible to command injection. The issue occurs because the component utilizes the subprocess.Popen function with the shell=True parameter...
SUSE CVE-2026-35206
Helm is a package manager for Charts for Kubernetes. In Helm versions =3.20.1 and =4.1.3, a specially crafted Chart will cause helm pull --untar chart URL | repo/chartname to write the Chart's contents to the immediate output directory as defaulted to the current working directory; or as given by...
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
...
GHSA-HR2V-4R36-88HR vulnerabilities
Vulnerabilities for packages: chart-testing, kube-arangodb, helm-set-status, k8ssandra-client, helm-operator, kuma, rancher-fleet, consul-k8s, flux, headlamp, tigera-operator, istio, cilium-cli, flux-source-controller, k9s, kubescape, linkerd2, envoy-gateway, eksctl, zarf, tw, cerbos, kots, harbo...
CVE-2026-35206 vulnerabilities
Vulnerabilities for packages: chart-testing, kube-arangodb, helm-set-status, k8ssandra-client, helm-operator, kuma, rancher-fleet, consul-k8s, flux, headlamp, tigera-operator, istio, cilium-cli, flux-source-controller, k9s, kubescape, linkerd2, envoy-gateway, eksctl, zarf, tw, cerbos, kots, harbo...
GHSA-HR2V-4R36-88HR vulnerabilities
Vulnerabilities for packages: kubescape-server, helm-operator-fips, nova, trivy-operator, gitlab-operator-fips, harbor, trivy-operator-fips, cloudbeat-fips, envoy-gateway-fips, kubescape, harbor-fips, helm-exporter-fips, helm-operator, pluto-fips, flux-source-controller, gitlab-operator,...
EUVD-2026-21553
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:teamid/template/generate/:projectid. The GET handler calls checkAccessreq,...
GHSA-HR2V-4R36-88HR Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Helm is a package manager for Charts for Kubernetes. In Helm versions /, instead of the expected //, potentially overwriting the contents of the targeted directory. Note: a chart name containing POSIX dot-dot, or dot-dot and slashes as if to refer to parent directories do not resolve beyond the...
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Helm is a package manager for Charts for Kubernetes. In Helm versions /, instead of the expected //, potentially overwriting the contents of the targeted directory. Note: a chart name containing POSIX dot-dot, or dot-dot and slashes as if to refer to parent directories do not resolve beyond the...
CVE-2026-35206
A flaw was found in Helm, a package manager for Kubernetes. A remote attacker could exploit this vulnerability by providing a specially crafted Chart to the helm pull --untar command. This would cause the Chart's contents to be written to an unintended directory, potentially overwriting existing...