Vulnerability Details CVE-2026-25121
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 20.4%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-25121
-
cpe:2.3:a:chainguard:apko:0.14.8
-
cpe:2.3:a:chainguard:apko:0.14.9
-
cpe:2.3:a:chainguard:apko:0.15.0
-
cpe:2.3:a:chainguard:apko:0.16.0
-
cpe:2.3:a:chainguard:apko:0.17.0
-
cpe:2.3:a:chainguard:apko:0.18.0
-
cpe:2.3:a:chainguard:apko:0.18.1
-
cpe:2.3:a:chainguard:apko:0.19.0
-
cpe:2.3:a:chainguard:apko:0.19.1
-
cpe:2.3:a:chainguard:apko:0.19.2
-
cpe:2.3:a:chainguard:apko:0.19.3
-
cpe:2.3:a:chainguard:apko:0.19.4
-
cpe:2.3:a:chainguard:apko:0.19.5
-
cpe:2.3:a:chainguard:apko:0.19.6
-
cpe:2.3:a:chainguard:apko:0.19.7
-
cpe:2.3:a:chainguard:apko:0.19.8
-
cpe:2.3:a:chainguard:apko:0.19.9
-
cpe:2.3:a:chainguard:apko:0.20.0
-
cpe:2.3:a:chainguard:apko:0.20.1
-
cpe:2.3:a:chainguard:apko:0.20.2
-
cpe:2.3:a:chainguard:apko:0.21.0
-
cpe:2.3:a:chainguard:apko:0.22.0
-
cpe:2.3:a:chainguard:apko:0.22.1
-
cpe:2.3:a:chainguard:apko:0.22.2
-
cpe:2.3:a:chainguard:apko:0.22.3
-
cpe:2.3:a:chainguard:apko:0.22.4
-
cpe:2.3:a:chainguard:apko:0.22.5
-
cpe:2.3:a:chainguard:apko:0.22.6
-
cpe:2.3:a:chainguard:apko:0.22.7
-
cpe:2.3:a:chainguard:apko:0.23.0
-
cpe:2.3:a:chainguard:apko:0.24.0
-
cpe:2.3:a:chainguard:apko:0.25.0
-
cpe:2.3:a:chainguard:apko:0.25.1
-
cpe:2.3:a:chainguard:apko:0.25.2
-
cpe:2.3:a:chainguard:apko:0.25.3
-
cpe:2.3:a:chainguard:apko:0.25.4
-
cpe:2.3:a:chainguard:apko:0.25.5
-
cpe:2.3:a:chainguard:apko:0.25.6
-
cpe:2.3:a:chainguard:apko:0.25.7
-
cpe:2.3:a:chainguard:apko:0.26.0
-
cpe:2.3:a:chainguard:apko:0.26.1
-
cpe:2.3:a:chainguard:apko:0.27.0
-
cpe:2.3:a:chainguard:apko:0.27.1
-
cpe:2.3:a:chainguard:apko:0.27.2
-
cpe:2.3:a:chainguard:apko:0.27.3
-
cpe:2.3:a:chainguard:apko:0.27.4
-
cpe:2.3:a:chainguard:apko:0.27.5
-
cpe:2.3:a:chainguard:apko:0.27.6
-
cpe:2.3:a:chainguard:apko:0.27.7
-
cpe:2.3:a:chainguard:apko:0.27.8
-
cpe:2.3:a:chainguard:apko:0.27.9
-
cpe:2.3:a:chainguard:apko:0.28.0
-
cpe:2.3:a:chainguard:apko:0.29.0
-
cpe:2.3:a:chainguard:apko:0.29.1
-
cpe:2.3:a:chainguard:apko:0.29.10
-
cpe:2.3:a:chainguard:apko:0.29.2
-
cpe:2.3:a:chainguard:apko:0.29.3
-
cpe:2.3:a:chainguard:apko:0.29.4
-
cpe:2.3:a:chainguard:apko:0.29.5
-
cpe:2.3:a:chainguard:apko:0.29.6
-
cpe:2.3:a:chainguard:apko:0.29.7
-
cpe:2.3:a:chainguard:apko:0.29.8
-
cpe:2.3:a:chainguard:apko:0.29.9
-
cpe:2.3:a:chainguard:apko:0.30.0
-
cpe:2.3:a:chainguard:apko:0.30.1
-
cpe:2.3:a:chainguard:apko:0.30.10
-
cpe:2.3:a:chainguard:apko:0.30.11
-
cpe:2.3:a:chainguard:apko:0.30.12
-
cpe:2.3:a:chainguard:apko:0.30.13
-
cpe:2.3:a:chainguard:apko:0.30.14
-
cpe:2.3:a:chainguard:apko:0.30.15
-
cpe:2.3:a:chainguard:apko:0.30.16
-
cpe:2.3:a:chainguard:apko:0.30.17
-
cpe:2.3:a:chainguard:apko:0.30.18
-
cpe:2.3:a:chainguard:apko:0.30.19
-
cpe:2.3:a:chainguard:apko:0.30.2
-
cpe:2.3:a:chainguard:apko:0.30.20
-
cpe:2.3:a:chainguard:apko:0.30.21
-
cpe:2.3:a:chainguard:apko:0.30.22
-
cpe:2.3:a:chainguard:apko:0.30.23
-
cpe:2.3:a:chainguard:apko:0.30.24
-
cpe:2.3:a:chainguard:apko:0.30.25
-
cpe:2.3:a:chainguard:apko:0.30.26
-
cpe:2.3:a:chainguard:apko:0.30.27
-
cpe:2.3:a:chainguard:apko:0.30.28
-
cpe:2.3:a:chainguard:apko:0.30.29
-
cpe:2.3:a:chainguard:apko:0.30.3
-
cpe:2.3:a:chainguard:apko:0.30.30
-
cpe:2.3:a:chainguard:apko:0.30.31
-
cpe:2.3:a:chainguard:apko:0.30.32
-
cpe:2.3:a:chainguard:apko:0.30.33
-
cpe:2.3:a:chainguard:apko:0.30.34
-
cpe:2.3:a:chainguard:apko:0.30.35
-
cpe:2.3:a:chainguard:apko:0.30.4
-
cpe:2.3:a:chainguard:apko:0.30.5
-
cpe:2.3:a:chainguard:apko:0.30.6
-
cpe:2.3:a:chainguard:apko:0.30.7
-
cpe:2.3:a:chainguard:apko:0.30.8
-
cpe:2.3:a:chainguard:apko:0.30.9
-
cpe:2.3:a:chainguard:apko:1.0.0
-
cpe:2.3:a:chainguard:apko:1.0.1
-
cpe:2.3:a:chainguard:apko:1.0.2
-
cpe:2.3:a:chainguard:apko:1.0.3
-
cpe:2.3:a:chainguard:apko:1.0.4
-
cpe:2.3:a:chainguard:apko:1.0.5
-
cpe:2.3:a:chainguard:apko:1.1.0