Skip to main content

Helm

26 CVEs product

Monthly

CVE-2026-35205 Go HIGH PATCH GHSA This Week

Helm 4.0.0 through 4.1.3 silently installs Kubernetes plugins without cryptographic provenance verification even when signature verification is explicitly required, allowing local attackers to deliver malicious plugins that execute with Helm's privileges during installation. The flaw (CWE-636: Not Failing Securely) enables supply chain attacks where unsigned or tampered plugins bypass security controls intended to validate plugin integrity. Fixed in Helm 4.1.4. EPSS score is 2nd percentile (0.01% exploitation probability), no active exploitation confirmed, SSVC assessment indicates total technical impact but non-automatable exploitation requiring user interaction.

Information Disclosure Kubernetes Helm
NVD GitHub VulDB HeroDevs
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-35204 Go HIGH PATCH GHSA This Week

Path traversal in Helm 4.0.0-4.1.3 allows local attackers to write arbitrary files during plugin installation or update by embedding '/../' sequences in the plugin.yaml version field, achieving high integrity impact across system and vulnerable component scopes. EPSS score is 2nd percentile (0.01%) with no active exploitation or public POC identified, suggesting low immediate risk despite 8.4 CVSS score. Vendor patch released in version 4.1.4.

Path Traversal Kubernetes Helm
NVD GitHub VulDB HeroDevs
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-55199 Go MEDIUM PATCH This Month

Helm is a package manager for Charts for Kubernetes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Kubernetes Helm Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-55198 Go MEDIUM PATCH This Month

Helm is a package manager for Charts for Kubernetes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.

Information Disclosure Kubernetes Helm Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53547 Go HIGH PATCH This Week

Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.

RCE Code Injection Kubernetes Debian Helm +2
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-32387 Go MEDIUM PATCH This Month

Helm is a package manager for Charts for Kubernetes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Kubernetes Stack Overflow Helm Red Hat +1
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-32386 Go MEDIUM PATCH This Month

Helm is a tool for managing Charts. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Helm Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-26147 Go HIGH PATCH This Week

Helm is a package manager for Charts for Kubernetes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Kubernetes Helm
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2024-25620 Go MEDIUM PATCH This Month

Helm is a tool for managing Charts. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Kubernetes Helm
NVD GitHub
CVSS 3.1
6.4
EPSS
0.6%
CVE-2023-25165 Go MEDIUM POC PATCH This Month

Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Kubernetes Information Disclosure Helm
NVD GitHub
CVSS 3.1
4.3
EPSS
0.8%
CVE-2022-23526 Go HIGH PATCH This Week

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Kubernetes Denial Of Service Helm
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-23525 Go HIGH PATCH This Week

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Kubernetes Denial Of Service Helm
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-23524 Go HIGH PATCH This Week

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Kubernetes Denial Of Service Helm
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-36049 Go HIGH PATCH This Week

Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Kubernetes Denial Of Service Helm Flux2 Helm Controller
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-36055 Go MEDIUM PATCH This Month

Helm is a tool for managing Charts. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Kubernetes Denial Of Service Helm
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-32690 Go HIGH PATCH This Week

Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Kubernetes Information Disclosure Helm
NVD GitHub
CVSS 3.1
8.6
EPSS
1.4%
CVE-2021-21303 Go MEDIUM PATCH This Month

Helm is open-source software which is essentially "The Kubernetes Package Manager". Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity.

Kubernetes Information Disclosure Helm
NVD GitHub
CVSS 3.1
6.8
EPSS
1.0%
CVE-2020-15187 Go MEDIUM PATCH This Month

In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Helm
NVD GitHub
CVSS 3.1
4.7
EPSS
1.5%
CVE-2020-15186 Go LOW PATCH Monitor

In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Helm
NVD GitHub
CVSS 3.1
2.7
EPSS
1.0%
CVE-2020-15185 Go LOW PATCH Monitor

In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Code Injection Helm
NVD GitHub
CVSS 3.1
2.7
EPSS
0.9%
CVE-2020-15184 Go LOW PATCH Monitor

In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Code Injection Helm
NVD GitHub
CVSS 3.1
2.7
EPSS
1.0%
CVE-2020-4053 Go MEDIUM PATCH This Month

In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity.

Path Traversal Helm
NVD GitHub
CVSS 3.1
6.8
EPSS
1.5%
CVE-2020-11013 Go MEDIUM POC PATCH This Month

Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Kubernetes Information Disclosure Helm
NVD GitHub
CVSS 3.1
5.0
EPSS
1.3%
CVE-2019-18658 Go CRITICAL PATCH Act Now

In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Helm
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2019-1010275 Go CRITICAL PATCH Act Now

helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Helm
NVD GitHub
CVSS 3.0
9.8
EPSS
1.4%
CVE-2019-1000008 Go MEDIUM POC PATCH This Month

All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The commands `helm fetch. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Helm
NVD
CVSS 3.0
6.5
EPSS
1.5%
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Helm 4.0.0 through 4.1.3 silently installs Kubernetes plugins without cryptographic provenance verification even when signature verification is explicitly required, allowing local attackers to deliver malicious plugins that execute with Helm's privileges during installation. The flaw (CWE-636: Not Failing Securely) enables supply chain attacks where unsigned or tampered plugins bypass security controls intended to validate plugin integrity. Fixed in Helm 4.1.4. EPSS score is 2nd percentile (0.01% exploitation probability), no active exploitation confirmed, SSVC assessment indicates total technical impact but non-automatable exploitation requiring user interaction.

Information Disclosure Kubernetes Helm
NVD GitHub VulDB HeroDevs
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Path traversal in Helm 4.0.0-4.1.3 allows local attackers to write arbitrary files during plugin installation or update by embedding '/../' sequences in the plugin.yaml version field, achieving high integrity impact across system and vulnerable component scopes. EPSS score is 2nd percentile (0.01%) with no active exploitation or public POC identified, suggesting low immediate risk despite 8.4 CVSS score. Vendor patch released in version 4.1.4.

Path Traversal Kubernetes Helm
NVD GitHub VulDB HeroDevs
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Helm is a package manager for Charts for Kubernetes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Kubernetes Helm +2
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Helm is a package manager for Charts for Kubernetes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.

Information Disclosure Kubernetes Helm +2
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.

RCE Code Injection Kubernetes +4
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Helm is a package manager for Charts for Kubernetes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Kubernetes Stack Overflow +3
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Helm is a tool for managing Charts. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Helm Red Hat +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Helm is a package manager for Charts for Kubernetes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Kubernetes Helm
NVD GitHub
EPSS 1% CVSS 6.4
MEDIUM PATCH This Month

Helm is a tool for managing Charts. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Kubernetes Helm
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Kubernetes Information Disclosure Helm
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Kubernetes Denial Of Service +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Kubernetes Denial Of Service +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Kubernetes Denial Of Service Helm
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Kubernetes Denial Of Service Helm +2
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Helm is a tool for managing Charts. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Kubernetes Denial Of Service Helm
NVD GitHub
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Kubernetes Information Disclosure Helm
NVD GitHub
EPSS 1% CVSS 6.8
MEDIUM PATCH This Month

Helm is open-source software which is essentially "The Kubernetes Package Manager". Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity.

Kubernetes Information Disclosure Helm
NVD GitHub
EPSS 2% CVSS 4.7
MEDIUM PATCH This Month

In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Helm
NVD GitHub
EPSS 1% CVSS 2.7
LOW PATCH Monitor

In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Helm
NVD GitHub
EPSS 1% CVSS 2.7
LOW PATCH Monitor

In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Code Injection Helm
NVD GitHub
EPSS 1% CVSS 2.7
LOW PATCH Monitor

In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Code Injection Helm
NVD GitHub
EPSS 1% CVSS 6.8
MEDIUM PATCH This Month

In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity.

Path Traversal Helm
NVD GitHub
EPSS 1% CVSS 5.0
MEDIUM POC PATCH This Month

Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Kubernetes Information Disclosure Helm
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Helm
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Helm
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The commands `helm fetch. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Helm
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy