The /registercrd endpoint in KubePlus version 4.14, specifically within the kubeconfiggenerator component, is vulnerable to command injection (CWE-94). This occurs because the component executes shell commands using subprocess.Popen() with the shell=True parameter, and it directly concatenates the user-controlled chartName parameter into the command string without any input validation or sanitization. An attacker with low privileges can exploit this to inject and execute arbitrary shell commands on the underlying system. The vulnerability has a CVSS 3.1 base score of 8.8, indicating high severity with network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. There is no information on affected versions beyond 4.14, no known exploits in the wild, and no vendor advisory or patch currently available.

Successful exploitation allows an attacker with low privileges to execute arbitrary shell commands on the system hosting the vulnerable KubePlus component. This can lead to full compromise of confidentiality, integrity, and availability of the affected system. Given the high CVSS score (8.8), the impact is severe, potentially allowing remote code execution and system takeover.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid exposing the /registercrd endpoint to untrusted users and restrict access to trusted administrators only. Consider implementing input validation or filtering on the chartName parameter as a temporary mitigation if possible.