Package impact

Go / chainguard.dev/apko

CVE	Severity	CVSS	Risk	Published	Description
CVE-2026-42575	high	7.5	7.5	21d ago	apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)
CVE-2026-42574	high	7.5	7.5	21d ago	apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
CVE-2026-42576	medium	6.5	6.5	21d ago	apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery
CVE-2026-25140	unknown	—	—	3mo ago	apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams in chainguard.dev/apko
CVE-2026-25122	unknown	—	—	4mo ago	apko affected by unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams in chainguard.dev/apko
CVE-2026-25121	unknown	—	—	4mo ago	apko has a path traversal in apko dirFS which allows filesystem writes outside base in chainguard.dev/apko
CVE-2025-53945	unknown	—	—	11mo ago	apko is vulnerable to attack through incorrect permissions in /etc/ld.so.cache and other files in chainguard.dev/apko
CVE-2024-36127	unknown	—	—	2y ago	apko Exposure of HTTP basic auth credentials in log output in chainguard.dev/apko