Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-35206 (GCVE-0-2026-35206)
Vulnerability from cvelistv5 – Published: 2026-04-09 21:02 – Updated: 2026-04-14 14:45
VLAI?
EPSS
Title
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Summary
Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:45:03.230344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:45:12.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "helm",
"vendor": "helm",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.1.4"
},
{
"status": "affected",
"version": "\u003c 3.20.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T21:02:13.594Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr"
},
{
"name": "https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436"
},
{
"name": "https://github.com/helm/helm/releases/tag/v4.1.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/helm/helm/releases/tag/v4.1.4"
}
],
"source": {
"advisory": "GHSA-hr2v-4r36-88hr",
"discovery": "UNKNOWN"
},
"title": "Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35206",
"datePublished": "2026-04-09T21:02:13.594Z",
"dateReserved": "2026-04-01T18:48:58.937Z",
"dateUpdated": "2026-04-14T14:45:12.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-35206",
"date": "2026-05-05",
"epss": "0.00015",
"percentile": "0.03214"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-35206\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-09T21:16:09.993\",\"lastModified\":\"2026-04-16T20:36:08.770\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.20.2\",\"matchCriteriaId\":\"07487FEE-D6F0-42D6-953A-C1C68CFEB0EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.1.4\",\"matchCriteriaId\":\"800B9949-E36B-45F3-9EA0-CA9DDA3D8868\"}]}]}],\"references\":[{\"url\":\"https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/helm/helm/releases/tag/v4.1.4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-35206\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-14T14:45:03.230344Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-14T14:45:08.743Z\"}}], \"cna\": {\"title\": \"Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment\", \"source\": {\"advisory\": \"GHSA-hr2v-4r36-88hr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"helm\", \"product\": \"helm\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 4.1.4\"}, {\"status\": \"affected\", \"version\": \"\u003c 3.20.2\"}]}], \"references\": [{\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr\", \"name\": \"https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436\", \"name\": \"https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/helm/helm/releases/tag/v4.1.4\", \"name\": \"https://github.com/helm/helm/releases/tag/v4.1.4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-09T21:02:13.594Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-35206\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-14T14:45:12.096Z\", \"dateReserved\": \"2026-04-01T18:48:58.937Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-09T21:02:13.594Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-35206
Vulnerability from fkie_nvd - Published: 2026-04-09 21:16 - Updated: 2026-04-16 20:36
Severity ?
Summary
Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "07487FEE-D6F0-42D6-953A-C1C68CFEB0EE",
"versionEndExcluding": "3.20.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "800B9949-E36B-45F3-9EA0-CA9DDA3D8868",
"versionEndExcluding": "4.1.4",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4."
}
],
"id": "CVE-2026-35206",
"lastModified": "2026-04-16T20:36:08.770",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-04-09T21:16:09.993",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/helm/helm/releases/tag/v4.1.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
SUSE-SU-2026:21461-1
Vulnerability from csaf_suse - Published: 2026-04-30 13:22 - Updated: 2026-04-30 13:22Summary
Security update for helm
Severity
Moderate
Notes
Title of the patch: Security update for helm
Description of the patch: This update for helm fixes the following issues:
Update to version 3.20.2.
Security issued fixed:
- CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).
- CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to
expected output directory suffixed by the Chart's name (bsc#1261938).
Other updates and bugfixes:
- Version 3.20.1:
- chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])
- add image index test 90e1056 (Pedro Trres)
- fix pulling charts from OCI indices 911f2e9 (Pedro Trres)
- Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)
- Fix import 45c12f7 (Evans Mungai)
- Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)
- Fix lint warning 09f5129 (Evans Mungai)
- Preserve nil values in chart already 417deb2 (Evans Mungai)
- fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)
- Version 3.20.0:
- SDK: bump k8s API versions to v0.35.0
- v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564
- v3 backport: Bump Go version to v1.25
- bump version to v3.20
- chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0
- chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0
- chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0
- chore(deps): bump the k8s-io group with 7 updates
- [dev-v3] Replace deprecated `NewSimpleClientset`
- [dev-v3] Bump Go v1.25, `golangci-lint` v2
- chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0
- chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30
- fix(rollback): `errors.Is` instead of string comp
- fix(uninstall): supersede deployed releases
- Use latest patch release of Go in releases
- chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0
- chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0
- chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0
- chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2
- chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1
- chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0
- chore(deps): bump github.com/cyphar/filepath-securejoin
- chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0
- chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0
- Remove dev-v3 `helm-latest-version` publish
- chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29
- Revert "pkg/registry: Login option for passing TLS config in memory"
- jsonschema: warn and ignore unresolved URN $ref to match v3.18.4
- Fix `helm pull` untar dir check with repo urls
- chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0
- chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0
- chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0
- [backport] fix: get-helm-3 script use helm3-latest-version
- pkg/registry: Login option for passing TLS config in memory
- Fix deprecation warning
- chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0
- chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0
- Avoid "panic: interface conversion: interface {} is nil"
- bump version to v3.19.0
- chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10
- fix: set repo authorizer in registry.Client.Resolve()
- fix null merge
- Add timeout flag to repo add and update flags
- Version 3.19.5:
- Fixed bug where removing subchart value via override resulted in warning #31118
- Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556
- fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)
- fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)
- fix null merge 578564e (Ben Foster)
- Version 3.19.4:
- Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)
- chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])
- chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1
- chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])
- chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])
- chore(deps): bump the k8s-io group with 7 updates edb1579
- Version 3.19.3:
- Bump golang.org/x/crypto to v0.45.0
- Version 3.19.2:
- [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)
Patchnames: SUSE-SL-Micro-6.2-661
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
4.4 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for helm",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for helm fixes the following issues:\n\nUpdate to version 3.20.2.\n\nSecurity issued fixed:\n\n- CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).\n- CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to\n expected output directory suffixed by the Chart\u0027s name (bsc#1261938).\n\nOther updates and bugfixes:\n\n- Version 3.20.1:\n - chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])\n - add image index test 90e1056 (Pedro Trres)\n - fix pulling charts from OCI indices 911f2e9 (Pedro Trres)\n - Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)\n - Fix import 45c12f7 (Evans Mungai)\n - Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)\n - Fix lint warning 09f5129 (Evans Mungai)\n - Preserve nil values in chart already 417deb2 (Evans Mungai)\n - fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)\n- Version 3.20.0:\n - SDK: bump k8s API versions to v0.35.0\n - v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564\n - v3 backport: Bump Go version to v1.25\n - bump version to v3.20\n - chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0\n - chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0\n - chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0\n - chore(deps): bump the k8s-io group with 7 updates\n - [dev-v3] Replace deprecated `NewSimpleClientset`\n - [dev-v3] Bump Go v1.25, `golangci-lint` v2\n - chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0\n - chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30\n - fix(rollback): `errors.Is` instead of string comp\n - fix(uninstall): supersede deployed releases\n - Use latest patch release of Go in releases\n - chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0\n - chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0\n - chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0\n - chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2\n - chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1\n - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0\n - chore(deps): bump github.com/cyphar/filepath-securejoin\n - chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0\n - chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0\n - Remove dev-v3 `helm-latest-version` publish\n - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29\n - Revert \"pkg/registry: Login option for passing TLS config in memory\"\n - jsonschema: warn and ignore unresolved URN $ref to match v3.18.4\n - Fix `helm pull` untar dir check with repo urls\n - chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0\n - chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0\n - chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0\n - [backport] fix: get-helm-3 script use helm3-latest-version\n - pkg/registry: Login option for passing TLS config in memory\n - Fix deprecation warning\n - chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0\n - chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0\n - Avoid \"panic: interface conversion: interface {} is nil\"\n - bump version to v3.19.0\n - chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10\n - fix: set repo authorizer in registry.Client.Resolve()\n - fix null merge\n - Add timeout flag to repo add and update flags\n- Version 3.19.5:\n - Fixed bug where removing subchart value via override resulted in warning #31118\n - Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556\n - fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)\n - fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)\n - fix null merge 578564e (Ben Foster)\n- Version 3.19.4:\n - Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)\n - chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])\n - chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1\n - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])\n - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])\n - chore(deps): bump the k8s-io group with 7 updates edb1579\n- Version 3.19.3:\n - Bump golang.org/x/crypto to v0.45.0\n- Version 3.19.2:\n - [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SL-Micro-6.2-661",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21461-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21461-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621461-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21461-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025795.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248093",
"url": "https://bugzilla.suse.com/1248093"
},
{
"category": "self",
"summary": "SUSE Bug 1261938",
"url": "https://bugzilla.suse.com/1261938"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55199 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55199/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35206 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35206/"
}
],
"title": "Security update for helm",
"tracking": {
"current_release_date": "2026-04-30T13:22:50Z",
"generator": {
"date": "2026-04-30T13:22:50Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21461-1",
"initial_release_date": "2026-04-30T13:22:50Z",
"revision_history": [
{
"date": "2026-04-30T13:22:50Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.aarch64",
"product": {
"name": "helm-3.20.2-160000.1.1.aarch64",
"product_id": "helm-3.20.2-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"product": {
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"product_id": "helm-bash-completion-3.20.2-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.ppc64le",
"product": {
"name": "helm-3.20.2-160000.1.1.ppc64le",
"product_id": "helm-3.20.2-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.s390x",
"product": {
"name": "helm-3.20.2-160000.1.1.s390x",
"product_id": "helm-3.20.2-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.x86_64",
"product": {
"name": "helm-3.20.2-160000.1.1.x86_64",
"product_id": "helm-3.20.2-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.2",
"product": {
"name": "SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.aarch64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64"
},
"product_reference": "helm-3.20.2-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.ppc64le as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le"
},
"product_reference": "helm-3.20.2-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.s390x as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x"
},
"product_reference": "helm-3.20.2-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.x86_64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64"
},
"product_reference": "helm-3.20.2-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55199",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55199"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55199",
"url": "https://www.suse.com/security/cve/CVE-2025-55199"
},
{
"category": "external",
"summary": "SUSE Bug 1248093 for CVE-2025-55199",
"url": "https://bugzilla.suse.com/1248093"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-30T13:22:50Z",
"details": "moderate"
}
],
"title": "CVE-2025-55199"
},
{
"cve": "CVE-2026-35206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35206"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35206",
"url": "https://www.suse.com/security/cve/CVE-2026-35206"
},
{
"category": "external",
"summary": "SUSE Bug 1261938 for CVE-2026-35206",
"url": "https://bugzilla.suse.com/1261938"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:helm-bash-completion-3.20.2-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-30T13:22:50Z",
"details": "moderate"
}
],
"title": "CVE-2026-35206"
}
]
}
SUSE-SU-2026:21434-1
Vulnerability from csaf_suse - Published: 2026-04-30 13:22 - Updated: 2026-04-30 13:22Summary
Security update for helm
Severity
Moderate
Notes
Title of the patch: Security update for helm
Description of the patch: This update for helm fixes the following issues:
Update to version 3.20.2.
Security issued fixed:
- CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).
- CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to
expected output directory suffixed by the Chart's name (bsc#1261938).
Other updates and bugfixes:
- Version 3.20.1:
- chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])
- add image index test 90e1056 (Pedro Trres)
- fix pulling charts from OCI indices 911f2e9 (Pedro Trres)
- Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)
- Fix import 45c12f7 (Evans Mungai)
- Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)
- Fix lint warning 09f5129 (Evans Mungai)
- Preserve nil values in chart already 417deb2 (Evans Mungai)
- fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)
- Version 3.20.0:
- SDK: bump k8s API versions to v0.35.0
- v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564
- v3 backport: Bump Go version to v1.25
- bump version to v3.20
- chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0
- chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0
- chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0
- chore(deps): bump the k8s-io group with 7 updates
- [dev-v3] Replace deprecated `NewSimpleClientset`
- [dev-v3] Bump Go v1.25, `golangci-lint` v2
- chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0
- chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30
- fix(rollback): `errors.Is` instead of string comp
- fix(uninstall): supersede deployed releases
- Use latest patch release of Go in releases
- chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0
- chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0
- chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0
- chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2
- chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1
- chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0
- chore(deps): bump github.com/cyphar/filepath-securejoin
- chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0
- chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0
- Remove dev-v3 `helm-latest-version` publish
- chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29
- Revert "pkg/registry: Login option for passing TLS config in memory"
- jsonschema: warn and ignore unresolved URN $ref to match v3.18.4
- Fix `helm pull` untar dir check with repo urls
- chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0
- chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0
- chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0
- [backport] fix: get-helm-3 script use helm3-latest-version
- pkg/registry: Login option for passing TLS config in memory
- Fix deprecation warning
- chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0
- chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0
- Avoid "panic: interface conversion: interface {} is nil"
- bump version to v3.19.0
- chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10
- fix: set repo authorizer in registry.Client.Resolve()
- fix null merge
- Add timeout flag to repo add and update flags
- Version 3.19.5:
- Fixed bug where removing subchart value via override resulted in warning #31118
- Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556
- fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)
- fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)
- fix null merge 578564e (Ben Foster)
- Version 3.19.4:
- Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)
- chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])
- chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1
- chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])
- chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])
- chore(deps): bump the k8s-io group with 7 updates edb1579
- Version 3.19.3:
- Bump golang.org/x/crypto to v0.45.0
- Version 3.19.2:
- [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)
Patchnames: SUSE-SLES-16.0-661
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
4.4 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for helm",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for helm fixes the following issues:\n\nUpdate to version 3.20.2.\n\nSecurity issued fixed:\n\n- CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).\n- CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to\n expected output directory suffixed by the Chart\u0027s name (bsc#1261938).\n\nOther updates and bugfixes:\n\n- Version 3.20.1:\n - chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])\n - add image index test 90e1056 (Pedro Trres)\n - fix pulling charts from OCI indices 911f2e9 (Pedro Trres)\n - Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)\n - Fix import 45c12f7 (Evans Mungai)\n - Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)\n - Fix lint warning 09f5129 (Evans Mungai)\n - Preserve nil values in chart already 417deb2 (Evans Mungai)\n - fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)\n- Version 3.20.0:\n - SDK: bump k8s API versions to v0.35.0\n - v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564\n - v3 backport: Bump Go version to v1.25\n - bump version to v3.20\n - chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0\n - chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0\n - chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0\n - chore(deps): bump the k8s-io group with 7 updates\n - [dev-v3] Replace deprecated `NewSimpleClientset`\n - [dev-v3] Bump Go v1.25, `golangci-lint` v2\n - chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0\n - chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30\n - fix(rollback): `errors.Is` instead of string comp\n - fix(uninstall): supersede deployed releases\n - Use latest patch release of Go in releases\n - chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0\n - chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0\n - chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0\n - chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2\n - chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1\n - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0\n - chore(deps): bump github.com/cyphar/filepath-securejoin\n - chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0\n - chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0\n - Remove dev-v3 `helm-latest-version` publish\n - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29\n - Revert \"pkg/registry: Login option for passing TLS config in memory\"\n - jsonschema: warn and ignore unresolved URN $ref to match v3.18.4\n - Fix `helm pull` untar dir check with repo urls\n - chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0\n - chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0\n - chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0\n - [backport] fix: get-helm-3 script use helm3-latest-version\n - pkg/registry: Login option for passing TLS config in memory\n - Fix deprecation warning\n - chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0\n - chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0\n - Avoid \"panic: interface conversion: interface {} is nil\"\n - bump version to v3.19.0\n - chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10\n - fix: set repo authorizer in registry.Client.Resolve()\n - fix null merge\n - Add timeout flag to repo add and update flags\n- Version 3.19.5:\n - Fixed bug where removing subchart value via override resulted in warning #31118\n - Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556\n - fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)\n - fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)\n - fix null merge 578564e (Ben Foster)\n- Version 3.19.4:\n - Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)\n - chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])\n - chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1\n - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])\n - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])\n - chore(deps): bump the k8s-io group with 7 updates edb1579\n- Version 3.19.3:\n - Bump golang.org/x/crypto to v0.45.0\n- Version 3.19.2:\n - [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-661",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21434-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21434-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621434-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21434-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025818.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248093",
"url": "https://bugzilla.suse.com/1248093"
},
{
"category": "self",
"summary": "SUSE Bug 1261938",
"url": "https://bugzilla.suse.com/1261938"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55199 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55199/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35206 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35206/"
}
],
"title": "Security update for helm",
"tracking": {
"current_release_date": "2026-04-30T13:22:50Z",
"generator": {
"date": "2026-04-30T13:22:50Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21434-1",
"initial_release_date": "2026-04-30T13:22:50Z",
"revision_history": [
{
"date": "2026-04-30T13:22:50Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.aarch64",
"product": {
"name": "helm-3.20.2-160000.1.1.aarch64",
"product_id": "helm-3.20.2-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"product": {
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"product_id": "helm-bash-completion-3.20.2-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.20.2-160000.1.1.noarch",
"product": {
"name": "helm-fish-completion-3.20.2-160000.1.1.noarch",
"product_id": "helm-fish-completion-3.20.2-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.20.2-160000.1.1.noarch",
"product": {
"name": "helm-zsh-completion-3.20.2-160000.1.1.noarch",
"product_id": "helm-zsh-completion-3.20.2-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.ppc64le",
"product": {
"name": "helm-3.20.2-160000.1.1.ppc64le",
"product_id": "helm-3.20.2-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.s390x",
"product": {
"name": "helm-3.20.2-160000.1.1.s390x",
"product_id": "helm-3.20.2-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-160000.1.1.x86_64",
"product": {
"name": "helm-3.20.2-160000.1.1.x86_64",
"product_id": "helm-3.20.2-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64"
},
"product_reference": "helm-3.20.2-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le"
},
"product_reference": "helm-3.20.2-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x"
},
"product_reference": "helm-3.20.2-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64"
},
"product_reference": "helm-3.20.2-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-fish-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-zsh-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64"
},
"product_reference": "helm-3.20.2-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le"
},
"product_reference": "helm-3.20.2-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x"
},
"product_reference": "helm-3.20.2-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64"
},
"product_reference": "helm-3.20.2-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-bash-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-fish-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.20.2-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
},
"product_reference": "helm-zsh-completion-3.20.2-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55199",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55199"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55199",
"url": "https://www.suse.com/security/cve/CVE-2025-55199"
},
{
"category": "external",
"summary": "SUSE Bug 1248093 for CVE-2025-55199",
"url": "https://bugzilla.suse.com/1248093"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-30T13:22:50Z",
"details": "moderate"
}
],
"title": "CVE-2025-55199"
},
{
"cve": "CVE-2026-35206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35206"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35206",
"url": "https://www.suse.com/security/cve/CVE-2026-35206"
},
{
"category": "external",
"summary": "SUSE Bug 1261938 for CVE-2026-35206",
"url": "https://bugzilla.suse.com/1261938"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-3.20.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-bash-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-fish-completion-3.20.2-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:helm-zsh-completion-3.20.2-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-30T13:22:50Z",
"details": "moderate"
}
],
"title": "CVE-2026-35206"
}
]
}
SUSE-SU-2026:1483-1
Vulnerability from csaf_suse - Published: 2026-04-20 10:29 - Updated: 2026-04-20 10:29Summary
Security update for helm
Severity
Moderate
Notes
Title of the patch: Security update for helm
Description of the patch: This update for helm fixes the following issues:
- CVE-2025-55199: crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).
- CVE-2026-35206: files written to unexpected directory via specially crafted Chart(bsc#1261938).
Changes for helm:
- Update to version 3.20.2
Patchnames: SUSE-2026-1483,SUSE-SLE-Micro-5.5-2026-1483,SUSE-SLE-Module-Containers-15-SP7-2026-1483,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-1483
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
4.4 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for helm",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for helm fixes the following issues:\n\n- CVE-2025-55199: crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).\n- CVE-2026-35206: files written to unexpected directory via specially crafted Chart(bsc#1261938).\n\nChanges for helm:\n\n- Update to version 3.20.2\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-1483,SUSE-SLE-Micro-5.5-2026-1483,SUSE-SLE-Module-Containers-15-SP7-2026-1483,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-1483",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1483-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:1483-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261483-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:1483-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045696.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248093",
"url": "https://bugzilla.suse.com/1248093"
},
{
"category": "self",
"summary": "SUSE Bug 1261938",
"url": "https://bugzilla.suse.com/1261938"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55199 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55199/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35206 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35206/"
}
],
"title": "Security update for helm",
"tracking": {
"current_release_date": "2026-04-20T10:29:46Z",
"generator": {
"date": "2026-04-20T10:29:46Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:1483-1",
"initial_release_date": "2026-04-20T10:29:46Z",
"revision_history": [
{
"date": "2026-04-20T10:29:46Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-150000.1.71.2.aarch64",
"product": {
"name": "helm-3.20.2-150000.1.71.2.aarch64",
"product_id": "helm-3.20.2-150000.1.71.2.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-150000.1.71.2.i586",
"product": {
"name": "helm-3.20.2-150000.1.71.2.i586",
"product_id": "helm-3.20.2-150000.1.71.2.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"product": {
"name": "helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"product_id": "helm-bash-completion-3.20.2-150000.1.71.2.noarch"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.20.2-150000.1.71.2.noarch",
"product": {
"name": "helm-fish-completion-3.20.2-150000.1.71.2.noarch",
"product_id": "helm-fish-completion-3.20.2-150000.1.71.2.noarch"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.20.2-150000.1.71.2.noarch",
"product": {
"name": "helm-zsh-completion-3.20.2-150000.1.71.2.noarch",
"product_id": "helm-zsh-completion-3.20.2-150000.1.71.2.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-150000.1.71.2.ppc64le",
"product": {
"name": "helm-3.20.2-150000.1.71.2.ppc64le",
"product_id": "helm-3.20.2-150000.1.71.2.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-150000.1.71.2.s390x",
"product": {
"name": "helm-3.20.2-150000.1.71.2.s390x",
"product_id": "helm-3.20.2-150000.1.71.2.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.20.2-150000.1.71.2.x86_64",
"product": {
"name": "helm-3.20.2-150000.1.71.2.x86_64",
"product_id": "helm-3.20.2-150000.1.71.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Micro 5.5",
"product": {
"name": "SUSE Linux Enterprise Micro 5.5",
"product_id": "SUSE Linux Enterprise Micro 5.5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-micro:5.5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Containers 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-containers:15:sp7"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-150000.1.71.2.aarch64 as component of SUSE Linux Enterprise Micro 5.5",
"product_id": "SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.aarch64"
},
"product_reference": "helm-3.20.2-150000.1.71.2.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-150000.1.71.2.ppc64le as component of SUSE Linux Enterprise Micro 5.5",
"product_id": "SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.ppc64le"
},
"product_reference": "helm-3.20.2-150000.1.71.2.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-150000.1.71.2.s390x as component of SUSE Linux Enterprise Micro 5.5",
"product_id": "SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.s390x"
},
"product_reference": "helm-3.20.2-150000.1.71.2.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-150000.1.71.2.x86_64 as component of SUSE Linux Enterprise Micro 5.5",
"product_id": "SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.x86_64"
},
"product_reference": "helm-3.20.2-150000.1.71.2.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.20.2-150000.1.71.2.noarch as component of SUSE Linux Enterprise Micro 5.5",
"product_id": "SUSE Linux Enterprise Micro 5.5:helm-bash-completion-3.20.2-150000.1.71.2.noarch"
},
"product_reference": "helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-150000.1.71.2.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.aarch64"
},
"product_reference": "helm-3.20.2-150000.1.71.2.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-150000.1.71.2.ppc64le as component of SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.ppc64le"
},
"product_reference": "helm-3.20.2-150000.1.71.2.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-150000.1.71.2.s390x as component of SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.s390x"
},
"product_reference": "helm-3.20.2-150000.1.71.2.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.20.2-150000.1.71.2.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.x86_64"
},
"product_reference": "helm-3.20.2-150000.1.71.2.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.20.2-150000.1.71.2.noarch as component of SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:helm-bash-completion-3.20.2-150000.1.71.2.noarch"
},
"product_reference": "helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.20.2-150000.1.71.2.noarch as component of SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:helm-zsh-completion-3.20.2-150000.1.71.2.noarch"
},
"product_reference": "helm-zsh-completion-3.20.2-150000.1.71.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.20.2-150000.1.71.2.noarch as component of SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7:helm-fish-completion-3.20.2-150000.1.71.2.noarch"
},
"product_reference": "helm-fish-completion-3.20.2-150000.1.71.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55199",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55199"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.aarch64",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.ppc64le",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.s390x",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.x86_64",
"SUSE Linux Enterprise Micro 5.5:helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-zsh-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:helm-fish-completion-3.20.2-150000.1.71.2.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55199",
"url": "https://www.suse.com/security/cve/CVE-2025-55199"
},
{
"category": "external",
"summary": "SUSE Bug 1248093 for CVE-2025-55199",
"url": "https://bugzilla.suse.com/1248093"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.aarch64",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.ppc64le",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.s390x",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.x86_64",
"SUSE Linux Enterprise Micro 5.5:helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-zsh-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:helm-fish-completion-3.20.2-150000.1.71.2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.aarch64",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.ppc64le",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.s390x",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.x86_64",
"SUSE Linux Enterprise Micro 5.5:helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-zsh-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:helm-fish-completion-3.20.2-150000.1.71.2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-20T10:29:46Z",
"details": "moderate"
}
],
"title": "CVE-2025-55199"
},
{
"cve": "CVE-2026-35206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35206"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.aarch64",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.ppc64le",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.s390x",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.x86_64",
"SUSE Linux Enterprise Micro 5.5:helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-zsh-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:helm-fish-completion-3.20.2-150000.1.71.2.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35206",
"url": "https://www.suse.com/security/cve/CVE-2026-35206"
},
{
"category": "external",
"summary": "SUSE Bug 1261938 for CVE-2026-35206",
"url": "https://bugzilla.suse.com/1261938"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.aarch64",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.ppc64le",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.s390x",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.x86_64",
"SUSE Linux Enterprise Micro 5.5:helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-zsh-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:helm-fish-completion-3.20.2-150000.1.71.2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.aarch64",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.ppc64le",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.s390x",
"SUSE Linux Enterprise Micro 5.5:helm-3.20.2-150000.1.71.2.x86_64",
"SUSE Linux Enterprise Micro 5.5:helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-3.20.2-150000.1.71.2.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-bash-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP7:helm-zsh-completion-3.20.2-150000.1.71.2.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:helm-fish-completion-3.20.2-150000.1.71.2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-20T10:29:46Z",
"details": "moderate"
}
],
"title": "CVE-2026-35206"
}
]
}
MSRC_CVE-2026-35206
Vulnerability from csaf_microsoft - Published: 2026-04-02 00:00 - Updated: 2026-04-30 01:53Summary
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
CWE-22
- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Vendor Fix
0:3.14.2-11.cbl2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
https://learn.microsoft.com/en-us/azure/azure-lin…
References
| URL | Category | |
|---|---|---|
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2026-35206 Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-35206.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment",
"tracking": {
"current_release_date": "2026-04-30T01:53:12.000Z",
"generator": {
"date": "2026-04-30T08:42:48.128Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2026-35206",
"initial_release_date": "2026-04-02T00:00:00.000Z",
"revision_history": [
{
"date": "2026-04-12T01:01:40.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2026-04-13T14:40:33.000Z",
"legacy_version": "2",
"number": "2",
"summary": "Information published."
},
{
"date": "2026-04-30T01:53:12.000Z",
"legacy_version": "3",
"number": "3",
"summary": "Information published."
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 helm 0:3.14.2-10.cbl2",
"product": {
"name": "\u003ccbl2 helm 0:3.14.2-10.cbl2",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "cbl2 helm 0:3.14.2-10.cbl2",
"product": {
"name": "cbl2 helm 0:3.14.2-10.cbl2",
"product_id": "20941"
}
}
],
"category": "product_name",
"name": "helm"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 helm 0:3.14.2-10.cbl2 as a component of CBL Mariner 2.0",
"product_id": "17086-1"
},
"product_reference": "1",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 helm 0:3.14.2-10.cbl2 as a component of CBL Mariner 2.0",
"product_id": "20941-17086"
},
"product_reference": "20941",
"relates_to_product_reference": "17086"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-35206",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"20941-17086"
],
"known_affected": [
"17086-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-35206 Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-35206.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-12T01:01:40.000Z",
"details": "0:3.14.2-11.cbl2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"title": "Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment"
}
]
}
bit-helm-2026-35206
Vulnerability from bitnami_vulndb
Published
2026-04-13 05:40
Modified
2026-04-13 06:11
Summary
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Details
Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "helm",
"purl": "pkg:bitnami/helm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.20.2"
},
{
"introduced": "4.0.0"
},
{
"fixed": "4.1.4"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
],
"aliases": [
"CVE-2026-35206"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:helm:helm:*:*:*:*:*:go:*:*"
],
"severity": "Medium"
},
"details": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart\u0027s name. This vulnerability is fixed in 3.20.2 and 4.1.4.",
"id": "BIT-helm-2026-35206",
"modified": "2026-04-13T06:11:47.324Z",
"published": "2026-04-13T05:40:36.770Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/releases/tag/v4.1.4"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35206"
}
],
"schema_version": "1.6.2",
"summary": "Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment"
}
GHSA-HR2V-4R36-88HR
Vulnerability from github – Published: 2026-04-10 15:33 – Updated: 2026-04-10 15:33
VLAI?
Summary
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Details
Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name.
Impact
The bug enables writing the Chart's contents (unpackaged/untar'ed) to the output directory <output dir>/, instead of the expected <output dir>/<chart name>/, potentially overwriting the contents of the targeted directory.
Note: a chart name containing POSIX dot-dot, or dot-dot and slashes (as if to refer to parent directories) do not resolve beyond the output directory as designed.
Patches
This issue has been resolved in Helm v3.20.2 and v4.1.3
A Chart with an unexpected name (those specified to be "." or ".."), or a Chart name which results in a non-unique directory will be rejected.
Workarounds
Ensure the the name of the Chart does not comprise/contain POSIX pathname special directory references ie. dot-dot ("..") or dot ("."). In addition, ensuring that the pull --untar flag (or equivalent SDK option) refers to a unique/empty output directory prevents chart extraction from inadvertently overwriting existing files within the specified directory.
Credits
Oleh Konko @1seal
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.3"
},
"package": {
"ecosystem": "Go",
"name": "helm.sh/helm/v4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.20.1"
},
"package": {
"ecosystem": "Go",
"name": "helm.sh/helm/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.20.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35206"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T15:33:09Z",
"nvd_published_at": "2026-04-09T21:16:09Z",
"severity": "MODERATE"
},
"details": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003c=3.20.1 and \u003c=4.1.3, a specially crafted Chart will cause `helm pull --untar [chart URL | repo/chartname]` to write the Chart\u0027s contents to the immediate output directory (as defaulted to the current working directory; or as given by the `--destination` and `--untardir` flags), rather than the expected output directory suffixed by the chart\u0027s name.\n\n### Impact\n\nThe bug enables writing the Chart\u0027s contents (unpackaged/untar\u0027ed) to the output directory `\u003coutput dir\u003e/`, instead of the expected `\u003coutput dir\u003e/\u003cchart name\u003e/`, potentially overwriting the contents of the targeted directory.\n\nNote: a chart name containing POSIX dot-dot, or dot-dot and slashes (as if to refer to parent directories) do not resolve beyond the output directory as designed.\n\n### Patches\n\nThis issue has been resolved in Helm v3.20.2 and v4.1.3\n\nA Chart with an unexpected name (those specified to be \".\" or \"..\"), or a Chart name which results in a non-unique directory will be rejected.\n\n### Workarounds\n\nEnsure the the name of the Chart does not comprise/contain POSIX pathname special directory references ie. dot-dot (\"..\") or dot (\".\"). In addition, ensuring that the `pull --untar` flag (or equivalent SDK option) refers to a unique/empty output directory prevents chart extraction from inadvertently overwriting existing files within the specified directory.\n\n### Credits\n\nOleh Konko\n@1seal",
"id": "GHSA-hr2v-4r36-88hr",
"modified": "2026-04-10T15:33:09Z",
"published": "2026-04-10T15:33:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35206"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436"
},
{
"type": "PACKAGE",
"url": "https://github.com/helm/helm"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/releases/tag/v4.1.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…