CVE-2026-29064

Name of the Vulnerable Software and Affected Versions Zarf versions 0.54.0 through 0.73.0

Description Zarf, an Airgap Native Packager Manager for Kubernetes, contains a path traversal flaw in its archive extraction process. A specially designed Zarf package can create symbolic links that point to locations outside the intended destination directory. This could allow for unauthorized reading or writing of files on the system processing the package.

Recommendations Update to Zarf version 0.73.1 or later.