Lucene search
K

6 matches found

Vulnrichment
Vulnrichment
added 2026/05/09 7:24 p.m.6 views

CVE-2026-42574 apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same o...

7.5CVSS5.7AI score0.00352EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/09 7:24 p.m.11 views

EUVD-2026-28932

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same o...

7.5CVSS5.7AI score0.00352EPSS
Exploits0References4
CVE
CVE
added 2026/05/09 7:24 p.m.22 views

CVE-2026-42574

The CVE-2026-42574 issue affects apko dirFS used to build/publish OCI images. A crafted APK could place a TypeSymlink tar entry whose target points outside the build root, enabling traversal to host paths via subsequent directory creation or write operations within the same or later archive. Root...

7.5CVSS5.7AI score0.00352EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/04 9:26 p.m.6 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack through the DirFS process. An attacker can gain unauthorized access to files outside the intended build root by crafting a malicious archive containing a symlink entry that points outside the build root, followed by...

8.7CVSS5.8AI score0.00352EPSS
Exploits0References3
OSV
OSV
added 2026/05/04 9:26 p.m.7 views

GHSA-QQ3R-W4HJ-GJP6 apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root

Impact A crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the...

7.5CVSS5.8AI score0.00352EPSS
Exploits0References6
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/04 12:0 a.m.188 views

apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root

A crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the sanitizePath...

7.5CVSS5.8AI score0.00352EPSS
Exploits0References6Affected Software1
Rows per page
Query Builder