CVE-2026-29955

HighPublic PoCRCEUpdated

Published: 13 April 2026

Published

13 April 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0027 50.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29955 is a high-severity Code Injection (CWE-94) vulnerability in Cloudark Kubeplus. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of the user-supplied chartName parameter to block malicious shell command injection in the /registercrd endpoint.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on inputs at the endpoint boundary to prevent unsanitized chartName values from enabling command injection.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the specific command injection flaw in the kubeconfiggenerator component's subprocess.Popen usage.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection via unsanitized user input to subprocess.Popen(shell=True) on a network-accessible /registercrd endpoint directly enables remote exploitation of a public-facing application (T1190) to achieve arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly concatenated into the command string without any…

sanitization or validation. An attacker can inject arbitrary shell commands by crafting a malicious `chartName` parameter value.

Deeper analysisAI

CVE-2026-29955 is a command injection vulnerability affecting the `/registercrd` endpoint in the kubeconfiggenerator component of KubePlus version 4.14. The flaw arises because the component invokes `subprocess.Popen()` with the `shell=True` parameter to execute shell commands, directly concatenating the user-supplied `chartName` parameter into the command string without sanitization or validation. This was published on 2026-04-13 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (Improper Control of Generation of Code).

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. By crafting a malicious `chartName` value, the attacker injects arbitrary shell commands, potentially achieving high confidentiality, integrity, and availability impacts, such as executing unauthorized code on the host system running the kubeconfiggenerator.

Advisories and further details are documented in the provided references, including a GitHub Gist at https://gist.github.com/b0b0haha/f011fdd69adc3ae272a4e3b99af90163 and a GitHub repository README at https://github.com/b0b0haha/CVE-2026-29955/blob/main/README.md.