110 matches found
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack through the DirFS process. An attacker can gain unauthorized access to files outside the intended build root by crafting a malicious archive containing a symlink entry that points outside the build root, followed by...
GHSA-QQ3R-W4HJ-GJP6 apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
Impact A crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the...
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
Impact A crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the...
PT-2026-36990
Name of the Vulnerable Software and Affected Versions apko affected versions not specified Description apko verifies the signature on 'APKINDEX.tar.gz' but fails to compare individually downloaded '.apk' packages against the checksum recorded in the signed index. Although the checksum is parsed v...
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)
apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString, and the downloaded package control hash is computed, but the two values are never...
PT-2026-37052
Name of the Vulnerable Software and Affected Versions apko versions 0.14.8 through 1.2.4 Description A crafted .apk file can install a TypeSymlink tar entry with a target pointing outside the build root. Subsequent directory-creation or file-write entries in the same or later archive can traverse...
GHSA-FV83-X2XW-2J55 vulnerabilities
Vulnerabilities for packages: polaris, go, flux, dbmate, metacontroller, flux-helm-controller, apko, nova, flux-operator, smokescreen, osv-scanner, stakater-reloader, flux-image-reflector-controller, aws-network-policy-agent, mariadb-operator, dkron, ingress-nginx-controller,...
CVE-2026-34165 vulnerabilities
Vulnerabilities for packages: gitea, argo-cd-fips, snyk-cli, nemo, kyverno-fips, crossplane-fips, gitlab-runner-fips, kargo, melange, kubescape, apko-fips, wolfictl, kubescape-server-fips, flux-source-controller, packer, pulumi-language-java, argo-events-fips, gomplate,...
CVE-2026-33762 vulnerabilities
Vulnerabilities for packages: gitea, argo-cd-fips, snyk-cli, nemo, kyverno-fips, crossplane-fips, gitlab-runner-fips, kargo, melange, kubescape, apko-fips, wolfictl, kubescape-server-fips, flux-source-controller, packer, pulumi-language-java, argo-events-fips, gomplate,...
GHSA-GM2X-2G9H-CCM8 vulnerabilities
Vulnerabilities for packages: gitea, argo-cd-fips, snyk-cli, nemo, kyverno-fips, crossplane-fips, gitlab-runner-fips, kargo, melange, kubescape, apko-fips, wolfictl, kubescape-server-fips, flux-source-controller, packer, pulumi-language-java, argo-events-fips, gomplate,...
GHSA-JHF3-XXHW-2WPP vulnerabilities
Vulnerabilities for packages: cerbos, gitaly, witness, argo-cd, flux, crossplane, dagger, gitea, apko, scorecard, grafana-alloy, osv-scanner, argo-events, argo-workflows, k9s, pulumi-kubernetes-operator, kubevela, pulumi-language-dotnet, zarf, grafana, pulumi-language-java, tfsec, pulumi, melange...
GHSA-GM2X-2G9H-CCM8 vulnerabilities
Vulnerabilities for packages: cerbos, gitaly, witness, argo-cd, flux, crossplane, dagger, gitea, apko, scorecard, grafana-alloy, osv-scanner, argo-events, argo-workflows, k9s, pulumi-kubernetes-operator, kubevela, pulumi-language-dotnet, zarf, grafana, pulumi-language-java, tfsec, pulumi, melange...
CVE-2026-34165 vulnerabilities
Vulnerabilities for packages: cerbos, gitaly, witness, argo-cd, flux, crossplane, dagger, gitea, apko, scorecard, grafana-alloy, osv-scanner, argo-events, argo-workflows, k9s, pulumi-kubernetes-operator, kubevela, pulumi-language-dotnet, zarf, grafana, pulumi-language-java, tfsec, pulumi, melange...
SUSE CVE-2026-25140
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in...
GHSA-8FJ7-8H3W-XWFM vulnerabilities
Vulnerabilities for packages: splunk-otel-collector, buildkite-agent-fips, terraform-provider-acme, cluster-api-azure-controller, apache-beam-python-3.13-sdk, apm-server, nemo, apache-beam-python-3.11-sdk, kube-rbac-proxy, flux-source-watcher-fips, crossplane-provider-aws-memorydb,...
CVE-2026-1229 vulnerabilities
Vulnerabilities for packages: witness, apko, scorecard, osv-scanner, crossplane-provider-aws-ec2, terraform-provider-azuread, crossplane-provider-aws-cloudwatchlogs, pulumi-kubernetes-operator, crossplane-provider-aws-cloudfront, terraform-provider-azurerm, buildkitd, grafana, helm-push, tfsec,...
GHSA-Q9HV-HPM4-HJ6X vulnerabilities
Vulnerabilities for packages: witness, apko, scorecard, osv-scanner, crossplane-provider-aws-ec2, terraform-provider-azuread, crossplane-provider-aws-cloudwatchlogs, pulumi-kubernetes-operator, crossplane-provider-aws-cloudfront, terraform-provider-azurerm, buildkitd, grafana, helm-push, tfsec,...
CVE-2026-1229 vulnerabilities
Vulnerabilities for packages: gitea, argo-cd-fips, snyk-cli, kyverno-fips, crossplane-fips, lazygit, crossplane-provider-aws-memorydb, gitlab-runner-fips, melange, crossplane-provider-aws-efs-fips, crossplane-provider-azure-managedidentity, kubescape, omni, tekton-pipelines, apko-fips,...
GO-2026-4410 apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams in chainguard.dev/apko
apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams in chainguard.dev/apko...
SUSE CVE-2026-25121
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package e.g., via a compromised or typosquatte...