Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33747
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
BuildKit vulnerable to malicious frontend causing file escape outside of storage root
Source: NVD (National Vulnerability Database)
Vulnerability Description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
BuildKit 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
BuildKit是Moby开源的一个并发、高速缓存高效的构建器工具包。 BuildKit 0.28.1之前版本存在路径遍历漏洞,该漏洞源于自定义BuildKit前端可能构造API消息导致文件写入执行环境之外,可能导致任意文件写入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
mobybuildkit < 0.28.1 -
II. Public POCs for CVE-2026-33747
#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2026-33747
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: buildkit
Same vendor: moby
Same weakness: CWE-22
V. Comments for CVE-2026-33747

No comments yet

Leave a comment