Helm.Sh Helm V4 vulnerabilities

CVE-2026-35204 [HIGH] CWE-22 Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory Helm is a package manager for Charts for Kubernetes. In Helm versions >=4.0.0 and <=4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. ### I

CVE-2026-35205 [HIGH] CWE-636 Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install Helm is a package manager for Charts for Kubernetes. In Helm versions >=4.0.0 and <=4.1.3, Helm will install plugins missing provenance (`.prov` file) when signature verification is required. ### Impact The bug allows plugin authors to omit provenance (signing) data from plugins

CVE-2026-35206 [MEDIUM] CWE-22 Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment Helm is a package manager for Charts for Kubernetes. In Helm versions /`, instead of the expected `//`, potentially overwriting the contents of the targeted directory. Note: a chart name containing POSIX dot-dot, or dot-dot and slashes (as if to refer to parent directories) do not resolve beyond the ou