BIT-HELM-2026-35205 Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance .prov file when signature verification is required. This vulnerability is fixed in 4.1.4...

PT-2026-32426

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not...

SUSE CVE-2026-35204

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not...

CVE-2026-35204

A flaw was found in Helm, a package manager for Kubernetes. An attacker could exploit this vulnerability by providing a specially crafted Helm plugin. When such a plugin is installed or updated, Helm incorrectly processes its configuration, allowing the plugin's contents to be written to an...

Failing Open

Overview Affected versions of this package are vulnerable to Failing Open in plugin installation, when signature verification is required, but the .prov file is missing. An attacker can execute arbitrary code by providing a malicious plugin archive that omits provenance data, thereby bypassing...

GHSA-Q5JF-9VFQ-H4H7 Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install

Helm is a package manager for Charts for Kubernetes. In Helm versions =4.0.0 and =4.1.3, Helm will install plugins missing provenance .prov file when signature verification is required. Impact The bug allows plugin authors to omit provenance signing data from plugins, bypassing plugin signature...

CVE-2026-35205

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance .prov file when signature verification is required. This vulnerability is fixed in 4.1.4...

CVE-2026-35205

Helm's plugin verification flaw allows installation of unsigned plugins when provenance (.prov) is missing, bypassing signature verification. Affected are Helm versions 4.0.0–4.1.3; the issue is fixed in 4.1.4.

CVE-2026-35204 Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not...

CVE-2026-35204 Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not...

CVE-2026-35204

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not...

CVE-2026-35204

Helm

PT-2026-31623

Helm versions 4.0.0 through 4.1.3 Description Helm, a package manager for Kubernetes Charts, contains a flaw where a crafted plugin, during installation or update, can write files to arbitrary locations on the filesystem. This occurs because the version field within the plugin.yaml file lacks...

EUVD-2021-1132

Malware in sbrugna...

SUSE CVE-2020-15187

In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform thi...

Malicious code in harness-helm-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0008cf12cac94140f089a7ba2a7d297c874737f5bfbd34256de9b47b44d084bd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-3562 Malicious code in harness-helm-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0008cf12cac94140f089a7ba2a7d297c874737f5bfbd34256de9b47b44d084bd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2020-4053

A flaw was found in the Helm plugin installation, where it was vulnerable to path traversal attacks. This flaw allows an attacker to create specially crafted plugin archives to create files outside of the plugin directory. The highest threat from this vulnerability is to confidentiality, integrit...

Helm Plugin Validation Vulnerability

helm is a Kubernetes package manager. A security vulnerability exists in Helm versions prior to 2.16.11 and 3.3.2, which stems from a failure to properly clean up plugin names and can be exploited by an attacker to use illegal characters in plugin names...

CVE-2020-4053 Path Traversal in Helm Plugin Archive

In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended director...