pkg:Go/chainguard.dev/apko

All known vulnerabilities

• HIGH7.5CVE-2026-42575apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)
  from 0, < 1.2.7
• HIGH7.5CVE-2026-42574apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
  >= 0.14.8, < 1.2.5
• HIGH7.5CVE-2026-25140apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams in chainguard.dev/apko
  >= 0.14.8, < 1.1.1
• HIGH7.5apko has a path traversal in apko dirFS which allows filesystem writes outside base in chainguard.dev/apko
  >= 0.14.8, < 1.1.0
• HIGH7.5apko has a path traversal in apko dirFS which allows filesystem writes outside base in chainguard.dev/apko
  >= 0.14.8, < 1.1.0
• HIGH7.5apko Exposure of HTTP basic auth credentials in log output in chainguard.dev/apko
  from 0, < 0.14.5
• HIGH7.5apko Exposure of HTTP basic auth credentials in log output in chainguard.dev/apko
  from 0, < 0.14.5
• HIGH7.0apko is vulnerable to attack through incorrect permissions in /etc/ld.so.cache and other files in chainguard.dev/apko
  >= 0.27.0, < 0.29.5
• HIGH7.0apko is vulnerable to attack through incorrect permissions in /etc/ld.so.cache and other files in chainguard.dev/apko
  >= 0.27.0, < 0.29.5
• MEDIUM6.5apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery
  from 0, < 1.2.7
• MEDIUM5.5apko affected by unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams in chainguard.dev/apko
  >= 0.14.8, < 1.1.0
• MEDIUM5.5apko affected by unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams in chainguard.dev/apko
  >= 0.14.8, < 1.1.0