Main Vulnerability Database Vulnerabilities #VU125576

#VU125576 Path traversal in Helm - CVE-2026-35204

Published: April 9, 2026

Vulnerability identifier: #VU125576

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-35204

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Helm

Software vendor:
The Helm Project

Description

The vulnerability allows a remote attacker to write files to arbitrary locations on the filesystem.

The vulnerability exists due to path traversal in the plugin metadata version field when installing or updating a specially crafted Helm plugin. A remote attacker can provide a specially crafted plugin to write files to arbitrary locations on the filesystem.

User interaction is required to install or update the crafted plugin.

Remediation

Install security update from vendor's website.

External links

https://github.com/helm/helm/security/advisories/GHSA-vmx8-mqv2-9gmg

#VU125576 Path traversal in Helm - CVE-2026-35204

Description

Remediation

External links

Please verify you're human