VYPR
Medium severity4.4NVD Advisory· Published Apr 9, 2026· Updated Apr 16, 2026

CVE-2026-35206

CVE-2026-35206

Description

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
helm.sh/helm/v4Go
< 4.1.44.1.4
helm.sh/helm/v3Go
< 3.20.23.20.2

Affected products

208

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.