In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition …

CVE-2026-29954 affects KubePlus 4.1.4, specifically the mutating webhook and kubeconfiggenerator components. The vulnerability stems from improper validation of the chartURL field in ResourceComposition resources, leading to Server-Side Request Forgery (SSRF). The chartURL field is only URL-encoded without target address validation. More critically, the kubeconfiggenerator component directly concatenates the chartURL into wget commands without sanitization, enabling command injection attacks. Attackers can inject wget's --header option to achieve arbitrary HTTP header injection, potentially leading to further exploitation.