Vulnerability Details CVE-2026-20613
The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 0.7%
CVSS Severity
CVSS v3 Score 7.8
Products affected by CVE-2026-20613
-
cpe:2.3:a:apple:container:0.1.0
-
cpe:2.3:a:apple:container:0.2.0
-
cpe:2.3:a:apple:container:0.3.0
-
cpe:2.3:a:apple:container:0.4.0
-
cpe:2.3:a:apple:container:0.4.1
-
cpe:2.3:a:apple:container:0.5.0
-
cpe:2.3:a:apple:container:0.6.0
-
cpe:2.3:a:apple:container:0.7.0
-
cpe:2.3:a:apple:container:0.7.1
-
cpe:2.3:a:apple:containerization:0.1.0
-
cpe:2.3:a:apple:containerization:0.1.1
-
cpe:2.3:a:apple:containerization:0.10.0
-
cpe:2.3:a:apple:containerization:0.10.1
-
cpe:2.3:a:apple:containerization:0.11.0
-
cpe:2.3:a:apple:containerization:0.12.0
-
cpe:2.3:a:apple:containerization:0.12.1
-
cpe:2.3:a:apple:containerization:0.13.0
-
cpe:2.3:a:apple:containerization:0.14.0
-
cpe:2.3:a:apple:containerization:0.15.0
-
cpe:2.3:a:apple:containerization:0.15.1
-
cpe:2.3:a:apple:containerization:0.16.0
-
cpe:2.3:a:apple:containerization:0.16.1
-
cpe:2.3:a:apple:containerization:0.16.2
-
cpe:2.3:a:apple:containerization:0.17.0
-
cpe:2.3:a:apple:containerization:0.17.1
-
cpe:2.3:a:apple:containerization:0.18.0
-
cpe:2.3:a:apple:containerization:0.19.0
-
cpe:2.3:a:apple:containerization:0.2.0
-
cpe:2.3:a:apple:containerization:0.20.0
-
cpe:2.3:a:apple:containerization:0.20.1
-
cpe:2.3:a:apple:containerization:0.3.0
-
cpe:2.3:a:apple:containerization:0.4.0
-
cpe:2.3:a:apple:containerization:0.4.1
-
cpe:2.3:a:apple:containerization:0.5.0
-
cpe:2.3:a:apple:containerization:0.6.0
-
cpe:2.3:a:apple:containerization:0.6.1
-
cpe:2.3:a:apple:containerization:0.6.2
-
cpe:2.3:a:apple:containerization:0.7.0
-
cpe:2.3:a:apple:containerization:0.7.1
-
cpe:2.3:a:apple:containerization:0.7.2
-
cpe:2.3:a:apple:containerization:0.8.0
-
cpe:2.3:a:apple:containerization:0.8.1
-
cpe:2.3:a:apple:containerization:0.9.0
-
cpe:2.3:a:apple:containerization:0.9.1