High severity7.6NVD Advisory· Published Mar 30, 2026· Updated Apr 6, 2026

CVE-2026-29954

Description

In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's --header option to achieve arbitrary HTTP header injection.

Affected products

Cloudark/Kubeplus
cpe:2.3:a:cloudark:kubeplus:4.1.4:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gist.github.com/b0b0haha/33baea60fd2a847f11f1fb02e43c64c0nvdExploitMitigationThird Party Advisory
github.com/b0b0haha/CVE-2026-29954/blob/main/README.mdnvdExploitMitigationThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.494
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000