CVE-2026-63308
Helm through 4.2.3, fixed in commit ba6c9a2, contains a denial of service vulnerability in the Files.Lines template helper in pkg/engine/fil
CVSS
4.3
Medium
EPSS
—
KEV
—
Exploit Today
0
0-100
Published: Jul 17, 2026 · Last modified: Jul 17, 2026 · CWE-129
Not enough EPSS history yet.
Helm through 4.2.3, fixed in commit ba6c9a2, contains a denial of service vulnerability in the Files.Lines template helper in pkg/engine/files.go that allows attackers to trigger an index out of range panic by including zero-length byte slices in chart files. Attackers can include empty files in Helm charts to cause deterministic render failures across template, install, upgrade, lint, and SDK Engine.Render operations.
- github.comhttps://github.com/helm/helm/commit/ba6c9a29efa7bf9198dad6a5ec12b4fb30c96017
- github.comhttps://github.com/helm/helm/issues/32279
- github.comhttps://github.com/helm/helm/pull/32290
- www.vulncheck.comhttps://www.vulncheck.com/advisories/chat2db-insecure-direct-object-reference-via-get-api-connection-datasource
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-20068.8 HIG61.3%
——18Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.3dCVE-2021-316588.1 HIG59.4%
——18TP-Link TL-SG2005, TL-SG2008, etc. 1.0.0 Build 20180529 Rel.40524 is affected by an Array index error. The interface that provides the "device description" function only judges the length of the received data, and does not filter special characters. This vulnerability will cause the application to crash, and all device configuration information will be erased.9dCVE-2026-30838.8 HIG52.7%
——16GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the processing of X-QDM RTP payload elements. When parsing the packetid element, the process does not properly validate user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28850.3dCVE-2026-228599.1 CRI51.0%
——15FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1.3dCVE-2026-322857.5 HIG50.8%
——15The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.3dCVE-2026-214139.8 CRI50.7%
——15A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.3d