CVE-2026-42576
- EPSS 0.25%
- Veröffentlicht 09.05.2026 19:26:56
- Zuletzt bearbeitet 13.05.2026 15:23:57
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a re...
CVE-2026-42574
- EPSS 0.35%
- Veröffentlicht 09.05.2026 19:24:48
- Zuletzt bearbeitet 13.05.2026 15:23:57
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent direc...
CVE-2026-25140
- EPSS 0.37%
- Veröffentlicht 04.02.2026 19:02:20
- Zuletzt bearbeitet 20.02.2026 21:31:56
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The Ex...
CVE-2026-25121
- EPSS 0.37%
- Veröffentlicht 04.02.2026 19:02:17
- Zuletzt bearbeitet 20.02.2026 21:31:35
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK...
CVE-2026-25122
- EPSS 0.11%
- Veröffentlicht 04.02.2026 19:02:15
- Zuletzt bearbeitet 20.02.2026 21:31:50
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an att...