CVE-2026-29955

Published: Apr 13, 2026

Modified: Apr 15, 2026

PUBLISHED

Description

The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly concatenated into the command string without any sanitization or validation. An attacker can inject arbitrary shell commands by crafting a malicious `chartName` parameter value.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://gist.github.com/b0b0haha/f011fdd69adc3ae272a4e3b99af90163

https://github.com/b0b0haha/CVE-2026-29955/blob/main/README.md

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-29955

Description

Affected Products

References