CVE-2026-35204

8.6 HIGH
Published: April 09, 2026 Modified: April 17, 2026
View on NVD

Description

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/helm/helm/commit/36c8539e99bc42d7aef9b87d136254662d04f027
Source: security-advisories@github.com
Patch
https://github.com/helm/helm/releases/tag/v4.1.4
Source: security-advisories@github.com
Product Release Notes
https://github.com/helm/helm/security/advisories/GHSA-vmx8-mqv2-9gmg
Source: security-advisories@github.com
Mitigation Vendor Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.6 / 10.0
EPSS (Exploit Probability)
0.0%
2th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-22

Affected Vendors

helm

Related CVEs

CVE-2026-6560 8.8
CVE-2026-6559 4.3
CVE-2026-0868 6.4
CVE-2026-6056 N/A
CVE-2026-41242 N/A