CVE-2026-29954

High CVSS: 7.6

In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's `--header` option to achieve arbitrary HTTP header injection.

Vendor

Cloudark

Product

Kubeplus

CWE

CWE-88

Yayın Tarihi

2026-03-30 17:16:15

Güncelleme

2026-04-06 15:51:33

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-88 Kubeplus HIGH Cloudark 2026

Referanslar

https://gist.github.com/b0b0haha/33baea60fd2a847f11f1fb02e43c64c0 https://github.com/b0b0haha/CVE-2026-29954/blob/main/README.md