CVE-2026-42574— apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root

CVSS 7.5 · High EPSS 0.05% · P16 Updated May 10, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-42574

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root

Source: NVD (National Vulnerability Database)

Vulnerability Description

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

对路径名的限制不恰当(路径遍历)

Source: NVD (National Vulnerability Database)

Vulnerability Title

apko 路径遍历漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

apko是apko开源的一个基于 apk 的 OCI 镜像构建器。 apko 0.14.8版本至1.2.5之前版本存在路径遍历漏洞，该漏洞源于特制.apk包可能安装指向构建根目录外的TypeSymlink tar条目，可能导致后续操作遍历符号链接访问主机路径。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
chainguard-dev	apko	>= 0.14.8, < 1.2.5	-

II. Public POCs for CVE-2026-42574

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

Qwen3.6-35B-A3B · 7176 chars

Paid plan includes:

In-depth vulnerability mechanism

Trigger conditions & impact

Full executable POC code

Exploit chain & mitigation

POC zip download

100+ AI POC generations per month

Upgrade Pro to unlock ¥99/month Sign up first

III. Intelligence Information for CVE-2026-42574

请登录查看更多情报信息。

Same Patch Batch · chainguard-dev · 2026-05-09 · 3 CVEs total

CVE-2026-42575	7.5 HIGH	apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitutio
CVE-2026-42576	6.5 MEDIUM	apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery

IV. Related Vulnerabilities

Same product: apko

Same vendor: chainguard-dev

Same weakness: CWE-22

V. Comments for CVE-2026-42574

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-42574— apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root

I. Basic Information for CVE-2026-42574

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-42574

III. Intelligence Information for CVE-2026-42574

Same Patch Batch · chainguard-dev · 2026-05-09 · 3 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-42574

Leave a comment