2 matches found
CVE-2026-29064
Zarf (Airgap Native Packager Manager for Kubernetes) is affected by a path traversal vulnerability in archive extraction from versions 0.54.0 up to before 0.73.1. The issue arises because symlink targets are not validated against the destination directory, enabling a package to create symlinks th...
CVE-2026-40090
Zarf (Airgap Native Packager Manager for Kubernetes) versions 0.23.0–0.74.1 contain an arbitrary file write vulnerability in the zarf package inspect sbom and zarf package inspect documentation commands. The vulnerability arises because output file paths are constructed by joining a user-controll...