CVE-2026-46703

Boxlite is a sandbox service that allows users to create lightweight virtual machines Boxes and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in...

CVE-2026-46703

Summary of CVE-2026-46703 (Boxlite) : The vulnerability occurs when Boxlite extracts OCI image layer tarballs. A tar entry of type SYMLINK can point to an absolute host path (for example, escape -> /tmp), and subsequent file entries resolve through that symlink, enabling writes outside the ext...

Directory Traversal

github.com/docker/docker is vulnerable to path traversal attacks. These attacks are possible due to a flaw in the processing of absolute symlinks. The flaw allows attackers to use malicious images and builds to write files to the host system and escape containerization, possibly leading to...

docker: Path traversal during processing of absolute symlinks

It was found that a malicious container image could overwrite arbitrary portions of the host file system by including absolute symlinks, potentially leading to privilege escalation...