CVE-2026-42574

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N                                    

Vulnerability Description

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.

Vulnerability Details

Published Date

May 04, 2026

Last Modified

May 13, 2026

CWE ID

CWE-22

Source

GitHub

Vendor

Product

chainguard.dev/apko

External References

https://github.com/chainguard-dev/apko/security/advisories/GHSA-qq3r-w4hj-gjp6
https://github.com/chainguard-dev/apko/pull/2187
https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442
https://github.com/chainguard-dev/apko/releases/tag/v1.2.5
https://github.com/advisories/GHSA-qq3r-w4hj-gjp6

CVE-2026-42574

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment