CVE-2026-29955

Name of the Vulnerable Software and Affected Versions KubePlus version 4.14

Description The '/registercrd' endpoint in the kubeconfiggenerator component is susceptible to command injection. The issue occurs because the component utilizes the subprocess.Popen() function with the shell=True parameter to execute shell commands, directly concatenating the user-supplied chartName parameter into the command string without proper sanitization or validation. This allows an attacker to execute arbitrary shell commands by providing a malicious value for the chartName variable.

Recommendations As a temporary workaround, avoid using the chartName parameter in the '/registercrd' endpoint until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.