PT-2026-6267 · Apko · Apko

·

CVE-2026-25121

·

Published

2026-02-03

·

Updated

2026-02-20

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions apko versions 0.14.8 through 1.1.0
Description apko is a tool that enables users to build and publish OCI container images from apk packages. A path traversal issue exists in apko’s dirFS filesystem abstraction between versions 0.14.8 and 1.1.0. An attacker providing a malicious APK package could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods within the pkg/apk/fs/rwosfs.go file utilize filepath.Join() without ensuring the resulting path remains within the base directory.
Recommendations Update to version 1.1.1 or later.

Exploit

Fix

Relative Path Traversal

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-25121
GHSA-5G94-C2WX-8PXW
GO-2026-4405
SUSE-SU-2026:0403-1

Affected Products

Apko