1229 matches found
PT-2026-34844
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's alt text into an HTML alt="..."...
AnythingLLM 跨站脚本漏洞
AnythingLLM is an integrated AI application developed by Mintplex. Versions of AnythingLLM prior to 1.12.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from the markdown renderer in the chart component not encoding the alt text as HTML, which could lead to storage-ty...
SUSE SLES15 Security Update : helm (SUSE-SU-2026:1483-1)
The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1483-1 advisory. - CVE-2025-55199: crafted JSON Schema can lead to out of memory OOM termination bsc1248093. - CVE-2026-35206: files written to...
CVE-2026-29955
The /registercrd endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses subprocess.Popen with shell=True parameter to execute shell commands, and the user-supplied chartName parameter is directly concatenated into the command string...
BIT-HELM-2026-35206 Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Helm is a package manager for Charts for Kubernetes. In Helm versions =3.20.1 and =4.1.3, a specially crafted Chart will cause helm pull --untar chart URL | repo/chartname to write the Chart's contents to the immediate output directory as defaulted to the current working directory; or as given by...
CVE-2026-29955
The /registercrd endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses subprocess.Popen with shell=True parameter to execute shell commands, and the user-supplied chartName parameter is directly concatenated into the command string...
CVE-2026-29955
The /registercrd endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses subprocess.Popen with shell=True parameter to execute shell commands, and the user-supplied chartName parameter is directly concatenated into the command string...
CVE-2026-29955
CVE-2026-29955 affects KubePlus 4.14 (kubeconfiggenerator) /registercrd. The root cause is command injection via an unsanitized chartName that is directly concatenated into a shell command executed with subprocess.Popen(shell=True). This can allow arbitrary shell commands to be executed if a mali...
CVE-2026-29955
The /registercrd endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses subprocess.Popen with shell=True parameter to execute shell commands, and the user-supplied chartName parameter is directly concatenated into the command string...
KubePlus 安全漏洞
KubePlus is an open-source Kubernetes multi-tenant application management platform developed by cloud-ark. Version 4.14 of KubePlus contains a security vulnerability. This vulnerability stems from the /registercrd endpoint in the kubeconfiggenerator component, which fails to clean up or validate...
PT-2026-32490
Name of the Vulnerable Software and Affected Versions KubePlus version 4.14 Description The '/registercrd' endpoint in the kubeconfiggenerator component is susceptible to command injection. The issue occurs because the component utilizes the subprocess.Popen function with the shell=True parameter...
SUSE CVE-2026-35206
Helm is a package manager for Charts for Kubernetes. In Helm versions =3.20.1 and =4.1.3, a specially crafted Chart will cause helm pull --untar chart URL | repo/chartname to write the Chart's contents to the immediate output directory as defaulted to the current working directory; or as given by...
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
...
CVE-2026-35206 vulnerabilities
Vulnerabilities for packages: helm-set-status, k8ssandra-client, teleport, flux, eksctl, cerbos, linkerd2, zarf, chartmuseum, helm-mapkubeapis, helm-push, kubescape, kube-arangodb, cluster-api-helm-controller, envoy-gateway, cert-manager-cmctl, headlamp, tigera-operator, flux-source-controller,...
GHSA-HR2V-4R36-88HR vulnerabilities
Vulnerabilities for packages: helm-set-status, k8ssandra-client, teleport, flux, eksctl, cerbos, linkerd2, zarf, chartmuseum, helm-mapkubeapis, helm-push, kubescape, kube-arangodb, cluster-api-helm-controller, envoy-gateway, cert-manager-cmctl, headlamp, tigera-operator, flux-source-controller,...
GHSA-HR2V-4R36-88HR vulnerabilities
Vulnerabilities for packages: k8ssandra-client, tigera-operator, kubescape-server, chart-testing, cert-manager-cmctl, istio, chart-testing-fips, consul-k8s, envoy-gateway-fips, flux, gitlab-operator, headlamp, helm-diff-fips, nova-fips, cloudbeat, chartmuseum, cluster-api-helm-controller,...
EUVD-2026-21553
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:teamid/template/generate/:projectid. The GET handler calls checkAccessreq,...
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Helm is a package manager for Charts for Kubernetes. In Helm versions /, instead of the expected //, potentially overwriting the contents of the targeted directory. Note: a chart name containing POSIX dot-dot, or dot-dot and slashes as if to refer to parent directories do not resolve beyond the...
GHSA-HR2V-4R36-88HR Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Helm is a package manager for Charts for Kubernetes. In Helm versions /, instead of the expected //, potentially overwriting the contents of the targeted directory. Note: a chart name containing POSIX dot-dot, or dot-dot and slashes as if to refer to parent directories do not resolve beyond the...
CVE-2026-35206
A flaw was found in Helm, a package manager for Kubernetes. A remote attacker could exploit this vulnerability by providing a specially crafted Chart to the helm pull --untar command. This would cause the Chart's contents to be written to an unintended directory, potentially overwriting existing...