Nixpkgs security tracker

Login with GitHub

Suggestions search

Untriaged
Filter by:
With package: helmsman

Found 5 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-35205
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.

Affected products

helm
  • ==>= 4.0.0, < 4.1.4

Matching in nixpkgs

pkgs.helm

Free, cross-platform, polyphonic synthesizer

pkgs.helmfile

Declarative spec for deploying Helm charts

pkgs.helmsman

Helm Charts (k8s applications) as Code tool

pkgs.helm-docs

Tool for automatically generating markdown documentation for Helm charts

pkgs.helmholtz

Time domain pitch tracker for Pure Data

  • nixos-unstable 1.0
    • nixpkgs-unstable 1.0
    • nixos-unstable-small 1.0
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Permalink CVE-2026-35206
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.

Affected products

helm
  • ==< 3.20.2
  • ==>= 4.0.0, < 4.1.4

Matching in nixpkgs

pkgs.helm

Free, cross-platform, polyphonic synthesizer

pkgs.helmfile

Declarative spec for deploying Helm charts

pkgs.helmsman

Helm Charts (k8s applications) as Code tool

pkgs.helm-docs

Tool for automatically generating markdown documentation for Helm charts

pkgs.helmholtz

Time domain pitch tracker for Pure Data

  • nixos-unstable 1.0
    • nixpkgs-unstable 1.0
    • nixos-unstable-small 1.0
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Permalink CVE-2026-35204
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.

Affected products

helm
  • ==>= 4.0.0, < 4.1.4

Matching in nixpkgs

pkgs.helm

Free, cross-platform, polyphonic synthesizer

pkgs.helmfile

Declarative spec for deploying Helm charts

pkgs.helmsman

Helm Charts (k8s applications) as Code tool

pkgs.helm-docs

Tool for automatically generating markdown documentation for Helm charts

pkgs.helmholtz

Time domain pitch tracker for Pure Data

  • nixos-unstable 1.0
    • nixpkgs-unstable 1.0
    • nixos-unstable-small 1.0
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Permalink CVE-2026-34606
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
Stored XSS in Frappe LMS

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0.

Affected products

lms
  • ==>= 2.27.0, < 2.48.0

Matching in nixpkgs

pkgs.lms

Lightweight Music Server - Access your self-hosted music using a web interface

pkgs.helmsman

Helm Charts (k8s applications) as Code tool

pkgs.lmstudio

LM Studio is an easy to use desktop app for experimenting with local and open-source Large Language Models (LLMs)

Package maintainers

Permalink CVE-2026-1106
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 4 months ago Activity log
  • Created suggestion 4 months ago
Chamilo LMS Legal Consent SocialController.php deleteLegal improper authorization

A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Affected products

LMS
  • ==2.0.0 Beta 1

Matching in nixpkgs

pkgs.lms

Lightweight Music Server - Access your self-hosted music using a web interface

pkgs.flmsg

Digital modem message program

pkgs.helmsman

Helm Charts (k8s applications) as Code tool

pkgs.lmstudio

LM Studio is an easy to use desktop app for experimenting with local and open-source Large Language Models (LLMs)

Package maintainers