Lucene search
K

7 matches found

CVE
CVE
added 2026/05/09 7:26 p.m.16 views

CVE-2026-42575

CVE-2026-42575 affects chainguard/apko: before v1.2.7, apko verifies APKINDEX.signed index but does not compare individually downloaded .apk checksums to the index checksum. The ChecksumString() is parsed but never cross-checked with the downloaded package’s control hash in getPackageImpl(), allo...

7.5CVSS5.9AI score0.00159EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/09 7:26 p.m.39 views

CVE-2026-42575 apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and...

7.5CVSS0.00159EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/09 7:26 p.m.8 views

CVE-2026-42575 apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and...

7.5CVSS5.9AI score0.00159EPSS
Exploits0References3
OSV
OSV
added 2026/05/04 9:27 p.m.7 views

GHSA-HCWR-PQ9G-RQ3M apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString, and the downloaded package control hash is computed, but the two values are never...

7.5CVSS5.9AI score0.00159EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/04 12:0 a.m.12 views

PT-2026-36990

Name of the Vulnerable Software and Affected Versions apko affected versions not specified Description apko verifies the signature on 'APKINDEX.tar.gz' but fails to compare individually downloaded '.apk' packages against the checksum recorded in the signed index. Although the checksum is parsed v...

7.5CVSS5.9AI score0.00159EPSS
Exploits0References12
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/04 12:0 a.m.28 views

apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString, and the downloaded package control hash is computed, but the two values are never...

7.5CVSS5.9AI score0.00159EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/02/09 11:16 p.m.4 views

UBUNTU-CVE-2026-25934

go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would like...

4.3CVSS5.8AI score0.00136EPSS
Exploits0References5
Rows per page
Query Builder