helm.sh/helm (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package helm.sh/helm, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (9)
CVE-2019-18658 — CVSS 9.8 (critical): In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a…
CVE-2019-1010275 — CVSS 9.8 (critical): helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server…
CVE-2019-1000008 — CVSS 6.5 (medium): All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory…
CVE-2025-55198 — CVSS 6.5 (medium): Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, when parsing Chart.yaml and index.yaml files, an improper…
CVE-2025-55199 — CVSS 6.5 (medium): Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which…
CVE-2020-15184 — CVSS 3.7 (low): In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could…
CVE-2020-15186 — CVSS 3.4 (low): In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use…
CVE-2020-15187 — CVSS 3.0 (low): In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a…
CVE-2020-15185 — CVSS 2.2 (low): In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a…