VYPR

Kubeplus

by Cloudark

CVEs (2)

  • CVE-2026-29955HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.02

    The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly…

  • CVE-2026-29954HigMar 30, 2026
    risk 0.49cvss 7.6epss 0.00

    In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when…