[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2020-15187":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T08:55:32.481Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":398,"aliases":399,"duplicate_of":9,"upstream":402,"downstream":403,"duplicates":406,"related":407,"reserved_at":9,"published_at":409,"modified_at":410,"state":411,"summary":412,"references_raw":421,"kevs":467,"epss":468,"epss_history":471,"metrics":732,"affected":752},"CVE-2020-15187","In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack.\nTo perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2.\nAs a possible workaround make sure to install plugins using a secure connection protocol like SSL.",null,[11,18,26],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":9,"likelihood_of_exploit":9,"capec":17},"NVD-CWE-OTHER","Other","NVD uses this CWE ID when the weakness does not map to any existing CWE entry.","placeholder","NVD-Reserved",[],{"_key":19,"id":19,"name":20,"description":21,"type":22,"status":23,"abstraction":24,"likelihood_of_exploit":9,"capec":25},"CWE-694","Use of Multiple Resources with Duplicate Identifier","The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.","weakness","Incomplete","Base",[],{"_key":27,"id":27,"name":28,"description":29,"type":22,"status":23,"abstraction":30,"likelihood_of_exploit":31,"capec":32},"CWE-74","Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.","Class","High",[33,37,41,45,49,53,237,241,245,249,253,294,298,302,306,310,314,318,322,326,330,334,338,342,346,350,354,358,362,366,370,374,378,382,386,390,394],{"id":34,"name":35,"techniques":36},"CAPEC-10","Buffer Overflow via Environment Variables",[],{"id":38,"name":39,"techniques":40},"CAPEC-101","Server Side Include (SSI) Injection",[],{"id":42,"name":43,"techniques":44},"CAPEC-105","HTTP Request Splitting",[],{"id":46,"name":47,"techniques":48},"CAPEC-108","Command Line Execution through SQL Injection",[],{"id":50,"name":51,"techniques":52},"CAPEC-120","Double Encoding",[],{"id":54,"name":55,"techniques":56},"CAPEC-13","Subverting Environment Variable Values",[57,155,197],{"id":58,"name":59,"tactics":60,"countermeasures":67},"T1562.003","Impair Command History Logging",[61,64],{"id":62,"name":63},"TA0030","Defense Evasion",{"id":65,"name":66},"TA0005","Stealth",[68,73,78,82,86,90,95,99,104,109,113,117,122,126,131,135,139,143,147,151],{"id":69,"name":70,"tactic":71},"D3-CI","Configuration Inventory",{"name":72},"Model",{"id":74,"name":75,"tactic":76},"D3-FA","File Analysis",{"name":77},"Detect",{"id":79,"name":80,"tactic":81},"D3-FIM","File Integrity Monitoring",{"name":77},{"id":83,"name":84,"tactic":85},"D3-DA","Dynamic Analysis",{"name":77},{"id":87,"name":88,"tactic":89},"D3-EFA","Emulated File Analysis",{"name":77},{"id":91,"name":92,"tactic":93},"D3-FEV","File Eviction",{"name":94},"Evict",{"id":96,"name":97,"tactic":98},"D3-RKD","Registry Key Deletion",{"name":94},{"id":100,"name":101,"tactic":102},"D3-DF","Decoy File",{"name":103},"Deceive",{"id":105,"name":106,"tactic":107},"D3-DRA","Disable Remote Access",{"name":108},"Harden",{"id":110,"name":111,"tactic":112},"D3-ACH","Application Configuration Hardening",{"name":108},{"id":114,"name":115,"tactic":116},"D3-FE","File Encryption",{"name":108},{"id":118,"name":119,"tactic":120},"D3-RC","Restore Configuration",{"name":121},"Restore",{"id":123,"name":124,"tactic":125},"D3-RF","Restore File",{"name":121},{"id":127,"name":128,"tactic":129},"D3-CQ","Content Quarantine",{"name":130},"Isolate",{"id":132,"name":133,"tactic":134},"D3-CF","Content Filtering",{"name":130},{"id":136,"name":137,"tactic":138},"D3-LFP","Local File Permissions",{"name":130},{"id":140,"name":141,"tactic":142},"D3-RFAM","Remote File Access Mediation",{"name":130},{"id":144,"name":145,"tactic":146},"D3-CM","Content Modification",{"name":130},{"id":148,"name":149,"tactic":150},"D3-EAL","Executable Allowlisting",{"name":130},{"id":152,"name":153,"tactic":154},"D3-EDL","Executable Denylisting",{"name":130},{"id":156,"name":157,"tactics":158,"countermeasures":170},"T1574.006","Dynamic Linker Hijacking",[159,162,165,166,167],{"id":160,"name":161},"TA0110","Persistence",{"id":163,"name":164},"TA0111","Privilege Escalation",{"id":62,"name":63},{"id":65,"name":66},{"id":168,"name":169},"TA0104","Execution",[171,175,177,179,181,183,185,187,189,191,193,195],{"id":172,"name":173,"tactic":174},"D3-SFA","System File Analysis",{"name":77},{"id":74,"name":75,"tactic":176},{"name":77},{"id":79,"name":80,"tactic":178},{"name":77},{"id":91,"name":92,"tactic":180},{"name":94},{"id":100,"name":101,"tactic":182},{"name":103},{"id":114,"name":115,"tactic":184},{"name":108},{"id":123,"name":124,"tactic":186},{"name":121},{"id":132,"name":133,"tactic":188},{"name":130},{"id":136,"name":137,"tactic":190},{"name":130},{"id":140,"name":141,"tactic":192},{"name":130},{"id":127,"name":128,"tactic":194},{"name":130},{"id":144,"name":145,"tactic":196},{"name":130},{"id":198,"name":199,"tactics":200,"countermeasures":206},"T1574.007","Path Interception by PATH Environment Variable",[201,202,203,204,205],{"id":160,"name":161},{"id":163,"name":164},{"id":62,"name":63},{"id":65,"name":66},{"id":168,"name":169},[207,209,211,213,215,217,219,221,223,225,227,229,231,233,235],{"id":74,"name":75,"tactic":208},{"name":77},{"id":79,"name":80,"tactic":210},{"name":77},{"id":83,"name":84,"tactic":212},{"name":77},{"id":87,"name":88,"tactic":214},{"name":77},{"id":91,"name":92,"tactic":216},{"name":94},{"id":100,"name":101,"tactic":218},{"name":103},{"id":114,"name":115,"tactic":220},{"name":108},{"id":123,"name":124,"tactic":222},{"name":121},{"id":132,"name":133,"tactic":224},{"name":130},{"id":136,"name":137,"tactic":226},{"name":130},{"id":140,"name":141,"tactic":228},{"name":130},{"id":127,"name":128,"tactic":230},{"name":130},{"id":144,"name":145,"tactic":232},{"name":130},{"id":148,"name":149,"tactic":234},{"name":130},{"id":152,"name":153,"tactic":236},{"name":130},{"id":238,"name":239,"techniques":240},"CAPEC-135","Format String Injection",[],{"id":242,"name":243,"techniques":244},"CAPEC-14","Client-side Injection-induced Buffer Overflow",[],{"id":246,"name":247,"techniques":248},"CAPEC-24","Filter Failure through Buffer Overflow",[],{"id":250,"name":251,"techniques":252},"CAPEC-250","XML Injection",[],{"id":254,"name":255,"techniques":256},"CAPEC-267","Leverage Alternate Encoding",[257],{"id":258,"name":259,"tactics":260,"countermeasures":263},"T1027","Obfuscated Files or Information",[261,262],{"id":62,"name":63},{"id":65,"name":66},[264,266,268,270,272,274,276,278,280,282,284,286,288,290,292],{"id":74,"name":75,"tactic":265},{"name":77},{"id":79,"name":80,"tactic":267},{"name":77},{"id":83,"name":84,"tactic":269},{"name":77},{"id":87,"name":88,"tactic":271},{"name":77},{"id":91,"name":92,"tactic":273},{"name":94},{"id":100,"name":101,"tactic":275},{"name":103},{"id":114,"name":115,"tactic":277},{"name":108},{"id":123,"name":124,"tactic":279},{"name":121},{"id":132,"name":133,"tactic":281},{"name":130},{"id":136,"name":137,"tactic":283},{"name":130},{"id":140,"name":141,"tactic":285},{"name":130},{"id":127,"name":128,"tactic":287},{"name":130},{"id":144,"name":145,"tactic":289},{"name":130},{"id":148,"name":149,"tactic":291},{"name":130},{"id":152,"name":153,"tactic":293},{"name":130},{"id":295,"name":296,"techniques":297},"CAPEC-273","HTTP Response Smuggling",[],{"id":299,"name":300,"techniques":301},"CAPEC-28","Fuzzing",[],{"id":303,"name":304,"techniques":305},"CAPEC-3","Using Leading 'Ghost' Character Sequences to Bypass Input Filters",[],{"id":307,"name":308,"techniques":309},"CAPEC-34","HTTP Response Splitting",[],{"id":311,"name":312,"techniques":313},"CAPEC-42","MIME Conversion",[],{"id":315,"name":316,"techniques":317},"CAPEC-43","Exploiting Multiple Input Interpretation Layers",[],{"id":319,"name":320,"techniques":321},"CAPEC-45","Buffer Overflow via Symbolic Links",[],{"id":323,"name":324,"techniques":325},"CAPEC-46","Overflow Variables and Tags",[],{"id":327,"name":328,"techniques":329},"CAPEC-47","Buffer Overflow via Parameter Expansion",[],{"id":331,"name":332,"techniques":333},"CAPEC-51","Poison Web Service Registry",[],{"id":335,"name":336,"techniques":337},"CAPEC-52","Embedding NULL Bytes",[],{"id":339,"name":340,"techniques":341},"CAPEC-53","Postfix, Null Terminate, and Backslash",[],{"id":343,"name":344,"techniques":345},"CAPEC-6","Argument Injection",[],{"id":347,"name":348,"techniques":349},"CAPEC-64","Using Slashes and URL Encoding Combined to Bypass Validation Logic",[],{"id":351,"name":352,"techniques":353},"CAPEC-67","String Format Overflow in syslog()",[],{"id":355,"name":356,"techniques":357},"CAPEC-7","Blind SQL Injection",[],{"id":359,"name":360,"techniques":361},"CAPEC-71","Using Unicode Encoding to Bypass Validation Logic",[],{"id":363,"name":364,"techniques":365},"CAPEC-72","URL Encoding",[],{"id":367,"name":368,"techniques":369},"CAPEC-76","Manipulating Web Input to File System Calls",[],{"id":371,"name":372,"techniques":373},"CAPEC-78","Using Escaped Slashes in Alternate Encoding",[],{"id":375,"name":376,"techniques":377},"CAPEC-79","Using Slashes in Alternate Encoding",[],{"id":379,"name":380,"techniques":381},"CAPEC-8","Buffer Overflow in an API Call",[],{"id":383,"name":384,"techniques":385},"CAPEC-80","Using UTF-8 Encoding to Bypass Validation Logic",[],{"id":387,"name":388,"techniques":389},"CAPEC-83","XPath Injection",[],{"id":391,"name":392,"techniques":393},"CAPEC-84","XQuery Injection",[],{"id":395,"name":396,"techniques":397},"CAPEC-9","Buffer Overflow in Local Command-Line Utilities",[],[],[400,401],"GHSA-c52f-pq47-2r9j","BIT-helm-2020-15187",[],[404],{"_key":405},"SUSE-SU-2020:3760-1",[],[408],{"_key":405},"2020-09-17T21:50:12.000Z","2025-05-29T22:59:03.267Z","Modified",{"cisa_kev":413,"cisa_ransomware":413,"cisa_vendor":9,"epss_severity":414,"epss_score":415,"severity":416,"severity_score":417,"severity_version":418,"severity_source":419,"severity_vector":420,"severity_status":411},false,"low",0.00195,"medium",6.5,"v2.0","nvd","AV:N/AC:L/Au:S/C:P/I:P/A:P",[422,431,436,440,444,448,453,457,462],{"url":423,"sources":424,"tags":427},"https://github.com/helm/helm/security/advisories/GHSA-c52f-pq47-2r9j",[425,419,426],"cve.org","osv_go",[428,429,430],"X Refsource CONFIRM","Third Party Advisory","WEB",{"url":432,"sources":433,"tags":434},"https://github.com/helm/helm/commit/6aab63765f99050b115f0aec3d6350c85e8da946",[425,419,426],[435,430],"X Refsource MISC",{"url":437,"sources":438,"tags":439},"https://github.com/helm/helm/commit/ac7c07c37d87e09797f714fb57aa5e9cb99d9450",[425,419,426],[435,430],{"url":441,"sources":442,"tags":443},"https://github.com/helm/helm/commit/b0296c0522e837d65f944beefa3fb64fd08ac304",[425,419,426],[435,430],{"url":445,"sources":446,"tags":447},"https://github.com/helm/helm/commit/c8d6b01d72c9604e43ee70d0d78fadd54c2d8499",[425,419,426],[435,430],{"url":449,"sources":450,"tags":451},"https://github.com/helm/helm/commit/d9ef5ce8bad512e325390c0011be1244b8380e4b",[425,419,426],[435,452,429,430],"Patch",{"url":454,"sources":455,"tags":456},"https://github.com/helm/helm/commit/f2ede29480b507b7d8bb152dd8b6b86248b00658",[425,419,426],[435,430],{"url":458,"sources":459,"tags":460},"https://nvd.nist.gov/vuln/detail/CVE-2020-15187",[426],[461],"Advisory",{"url":463,"sources":464,"tags":465},"https://github.com/helm/helm",[426],[466],"PACKAGE",[],{"date":469,"score":415,"percentile":470},"2026-06-04",0.41222,[472,476,479,482,485,488,491,494,497,500,503,506,508,511,514,518,521,524,527,530,533,536,538,541,544,547,550,553,556,559,562,565,568,571,574,577,580,583,585,588,591,594,597,599,602,605,608,611,614,617,620,623,626,628,631,634,637,640,642,645,648,651,654,657,660,662,664,667,670,673,675,678,680,683,685,687,690,693,696,699,702,705,708,711,714,717,720,723,726,729],{"date":473,"score":474,"percentile":475},"2025-11-04",0.00148,0.35852,{"date":477,"score":474,"percentile":478},"2025-11-05",0.35841,{"date":480,"score":474,"percentile":481},"2025-11-06",0.35837,{"date":483,"score":474,"percentile":484},"2025-11-07",0.35866,{"date":486,"score":474,"percentile":487},"2025-11-08",0.35858,{"date":489,"score":474,"percentile":490},"2025-11-09",0.35844,{"date":492,"score":474,"percentile":493},"2025-11-10",0.35813,{"date":495,"score":474,"percentile":496},"2025-11-11",0.3584,{"date":498,"score":474,"percentile":499},"2025-11-12",0.3588,{"date":501,"score":474,"percentile":502},"2025-11-13",0.35894,{"date":504,"score":474,"percentile":505},"2025-11-14",0.35897,{"date":507,"score":474,"percentile":505},"2025-11-15",{"date":509,"score":474,"percentile":510},"2025-11-16",0.35876,{"date":512,"score":474,"percentile":513},"2025-11-17",0.35851,{"date":515,"score":516,"percentile":517},"2025-11-18",0.00387,0.57085,{"date":519,"score":516,"percentile":520},"2025-11-19",0.57102,{"date":522,"score":516,"percentile":523},"2025-11-20",0.57092,{"date":525,"score":474,"percentile":526},"2025-11-21",0.35863,{"date":528,"score":474,"percentile":529},"2025-11-22",0.35865,{"date":531,"score":474,"percentile":532},"2025-11-23",0.35832,{"date":534,"score":474,"percentile":535},"2025-11-24",0.35812,{"date":537,"score":474,"percentile":493},"2025-11-25",{"date":539,"score":474,"percentile":540},"2025-11-26",0.35811,{"date":542,"score":474,"percentile":543},"2025-11-27",0.35821,{"date":545,"score":474,"percentile":546},"2025-11-28",0.358,{"date":548,"score":474,"percentile":549},"2025-11-29",0.35781,{"date":551,"score":474,"percentile":552},"2025-11-30",0.35766,{"date":554,"score":474,"percentile":555},"2025-12-01",0.35878,{"date":557,"score":474,"percentile":558},"2025-12-02",0.35887,{"date":560,"score":474,"percentile":561},"2025-12-03",0.35883,{"date":563,"score":474,"percentile":564},"2025-12-04",0.35758,{"date":566,"score":474,"percentile":567},"2025-12-05",0.35789,{"date":569,"score":474,"percentile":570},"2025-12-06",0.35778,{"date":572,"score":474,"percentile":573},"2025-12-07",0.35747,{"date":575,"score":474,"percentile":576},"2025-12-08",0.35762,{"date":578,"score":474,"percentile":579},"2025-12-09",0.35801,{"date":581,"score":474,"percentile":582},"2025-12-10",0.35857,{"date":584,"score":474,"percentile":561},"2025-12-11",{"date":586,"score":474,"percentile":587},"2025-12-12",0.35917,{"date":589,"score":474,"percentile":590},"2025-12-13",0.35895,{"date":592,"score":474,"percentile":593},"2025-12-14",0.35867,{"date":595,"score":474,"percentile":596},"2025-12-15",0.35828,{"date":598,"score":474,"percentile":487},"2025-12-16",{"date":600,"score":474,"percentile":601},"2025-12-17",0.35906,{"date":603,"score":474,"percentile":604},"2025-12-18",0.35947,{"date":606,"score":474,"percentile":607},"2025-12-19",0.35964,{"date":609,"score":474,"percentile":610},"2025-12-20",0.35945,{"date":612,"score":474,"percentile":613},"2025-12-21",0.35893,{"date":615,"score":474,"percentile":616},"2025-12-22",0.35868,{"date":618,"score":474,"percentile":619},"2025-12-23",0.35864,{"date":621,"score":474,"percentile":622},"2025-12-24",0.35856,{"date":624,"score":474,"percentile":625},"2025-12-25",0.35918,{"date":627,"score":474,"percentile":505},"2025-12-26",{"date":629,"score":474,"percentile":630},"2025-12-27",0.35916,{"date":632,"score":474,"percentile":633},"2025-12-28",0.3582,{"date":635,"score":474,"percentile":636},"2025-12-29",0.35791,{"date":638,"score":474,"percentile":639},"2025-12-30",0.35783,{"date":641,"score":474,"percentile":478},"2025-12-31",{"date":643,"score":474,"percentile":644},"2026-01-01",0.35984,{"date":646,"score":474,"percentile":647},"2026-01-02",0.35974,{"date":649,"score":474,"percentile":650},"2026-01-03",0.3596,{"date":652,"score":474,"percentile":653},"2026-01-04",0.35804,{"date":655,"score":474,"percentile":656},"2026-01-05",0.35786,{"date":658,"score":474,"percentile":659},"2026-01-06",0.35796,{"date":661,"score":474,"percentile":493},"2026-01-07",{"date":663,"score":474,"percentile":478},"2026-01-08",{"date":665,"score":474,"percentile":666},"2026-01-09",0.35838,{"date":668,"score":474,"percentile":669},"2026-01-10",0.35843,{"date":671,"score":474,"percentile":672},"2026-01-11",0.35823,{"date":674,"score":474,"percentile":576},"2026-01-12",{"date":676,"score":474,"percentile":677},"2026-01-13",0.35746,{"date":679,"score":474,"percentile":659},"2026-01-14",{"date":681,"score":474,"percentile":682},"2026-01-15",0.35782,{"date":684,"score":474,"percentile":579},"2026-01-16",{"date":686,"score":474,"percentile":656},"2026-01-17",{"date":688,"score":474,"percentile":689},"2026-01-18",0.35727,{"date":691,"score":474,"percentile":692},"2026-01-19",0.35688,{"date":694,"score":474,"percentile":695},"2026-01-20",0.35669,{"date":697,"score":474,"percentile":698},"2026-01-21",0.3565,{"date":700,"score":474,"percentile":701},"2026-01-22",0.35636,{"date":703,"score":474,"percentile":704},"2026-01-23",0.35692,{"date":706,"score":474,"percentile":707},"2026-01-24",0.35702,{"date":709,"score":474,"percentile":710},"2026-01-25",0.35647,{"date":712,"score":474,"percentile":713},"2026-01-26",0.35579,{"date":715,"score":474,"percentile":716},"2026-01-27",0.35574,{"date":718,"score":474,"percentile":719},"2026-01-28",0.35553,{"date":721,"score":474,"percentile":722},"2026-01-29",0.35524,{"date":724,"score":474,"percentile":725},"2026-01-30",0.35518,{"date":727,"score":474,"percentile":728},"2026-01-31",0.35528,{"date":730,"score":474,"percentile":731},"2026-02-01",0.35639,[733,740,750],{"source":425,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":734,"cvss_v4_0":9},{"baseScore":735,"baseSeverity":736,"vectorString":737,"impactScore":738,"exploitabilityScore":739},3,"LOW","CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",2.3,3.3,{"source":419,"cvss_v2_0":741,"cvss_v3_0":9,"cvss_v3_1":744,"cvss_v4_0":9},{"baseScore":417,"baseSeverity":9,"vectorString":420,"impactScore":742,"exploitabilityScore":743},6.4,8,{"baseScore":745,"baseSeverity":746,"vectorString":747,"impactScore":748,"exploitabilityScore":749},4.7,"MEDIUM","CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",5.7,3.1,{"source":426,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":751,"cvss_v4_0":9},{"baseScore":735,"baseSeverity":9,"vectorString":737,"impactScore":738,"exploitabilityScore":739},[753,768,776],{"ecosystem":754,"name":755,"vendor":756,"product":757,"cpe_part":9,"purl_type":758,"purl_namespace":756,"purl_name":757,"source":9,"versions":759},"Go","helm.sh/helm","helm.sh","helm","golang",[760],{"version":761,"is_range":762,"range_type":763,"version_start":764,"version_start_type":765,"version_end":766,"version_end_type":767,"fixed_in":9},"gte2_0_0_lt2_16_11",true,"semver","2.0.0","including","2.16.11","excluding",{"ecosystem":754,"name":769,"vendor":755,"product":770,"cpe_part":9,"purl_type":758,"purl_namespace":755,"purl_name":770,"source":9,"versions":771},"helm.sh/helm/v3","v3",[772],{"version":773,"is_range":762,"range_type":763,"version_start":774,"version_start_type":765,"version_end":775,"version_end_type":767,"fixed_in":9},"gte3_0_0_lt3_3_2","3.0.0","3.3.2",{"ecosystem":9,"name":757,"vendor":757,"product":757,"cpe_part":777,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":778},"a",[779,782],{"version":780,"is_range":762,"range_type":781,"version_start":764,"version_start_type":765,"version_end":766,"version_end_type":767,"fixed_in":9},">= 2.0.0, \u003C 2.16.11","cpe",{"version":783,"is_range":762,"range_type":781,"version_start":774,"version_start_type":765,"version_end":775,"version_end_type":767,"fixed_in":9},">= 3.0.0, \u003C 3.3.2"]