CVE-2026-29954 - Vulnerability Analysis
HighCVSS: 7.6Last Updated: March 30, 2026
KubePlus - Server Side Request Forgery & HTTP Header Injection
Overview
KubePlus 4.1.4 contains a server side request forgery caused by improper validation and direct concatenation of the chartURL field in mutating webhook and kubeconfiggenerator components, letting attackers inject arbitrary HTTP headers via wget command, exploit requires crafted chartURL input.
Severity & Score
Impact
Attackers can inject arbitrary HTTP headers and perform SSRF, potentially leading to unauthorized internal requests or data exposure.
Mitigation
Update to the latest version with proper validation and command sanitization for chartURL.
References
Social Media Activity(2 posts)
š CVE-2026-29954 - High (7.6) In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More cr... š https://www.thehackerwire.com/vulnerability/CVE-2026-29954/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-29954 - High (7.6) In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More cr... š https://www.thehackerwire.com/vulnerability/CVE-2026-29954/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postGitHub Repositories(1 repo)
Related Resources
Details
- CVE ID
- CVE-2026-29954
- Severity
- High
- CVSS Score
- 7.6
- Type
- server_side_request_forgery
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-88
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N