Path Traversal in Helm

CVE-2026-35204

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (4.7th percentile) — read the EPSS interpretation.

Affected products

Helm — versions >= 4.0.0, < 4.1.4

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/helm/helm/security/advisories/GHSA-vmx8-mqv2-9gmg (x_refsource_CONFIRM)
https://github.com/helm/helm/commit/36c8539e99bc42d7aef9b87d136254662d04f027 (x_refsource_MISC)
https://github.com/helm/helm/releases/tag/v4.1.4 (x_refsource_MISC)