Security Advisory

CVE-2026-29955

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-04-13 00:00:00
Last updated 2026-04-15 17:44:09
Assigner mitre
State PUBLISHED

Description

The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly concatenated into the command string without any sanitization or validation. An attacker can inject arbitrary shell commands by crafting a malicious `chartName` parameter value.