CVE-2026-29954

Name of the Vulnerable Software and Affected Versions KubePlus version 4.1.4

Description KubePlus versions 4.1.4 contain a Server-Side Request Forgery (SSRF) issue within the mutating webhook and kubeconfiggenerator components when handling the chartURL field of ResourceComposition resources. The chartURL field is URL-encoded without proper validation of the target address. Specifically, when the kubeconfiggenerator component uses wget to download charts, the chartURL is directly incorporated into the command, enabling attackers to inject wget's --header option and achieve arbitrary HTTP header injection. The API endpoint used for chart downloads is not specified. The vulnerable parameter is chartURL.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.