๐Ÿ” CVE Alert

CVE-2026-63308

MEDIUM 4.3

Helm Files.Lines Denial of Service via Empty Chart Files

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

Helm through 4.2.3, fixed in commit ba6c9a2, contains a denial of service vulnerability in the Files.Lines template helper in pkg/engine/files.go that allows attackers to trigger an index out of range panic by including zero-length byte slices in chart files. Attackers can include empty files in Helm charts to cause deterministic render failures across template, install, upgrade, lint, and SDK Engine.Render operations.

CWE CWE-129
Vendor helm
Product helm
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for helm helm

Be the first to know when new medium vulnerabilities affecting helm helm are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Affected Versions

helm / helm
0 โ‰ค 4.2.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/helm/helm/issues/32279 github.com: https://github.com/helm/helm/pull/32290 github.com: https://github.com/helm/helm/commit/ba6c9a29efa7bf9198dad6a5ec12b4fb30c96017 vulncheck.com: https://www.vulncheck.com/advisories/chat2db-insecure-direct-object-reference-via-get-api-connection-datasource

Credits

George Chen