CVE-2026-25121

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions apko versions 0.14.8 through 1.1.0

Description apko is a tool that enables users to build and publish OCI container images from apk packages. A path traversal issue exists in apko’s dirFS filesystem abstraction between versions 0.14.8 and 1.1.0. An attacker providing a malicious APK package could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods within the pkg/apk/fs/rwosfs.go file utilize filepath.Join() without ensuring the resulting path remains within the base directory.

Recommendations Update to version 1.1.1 or later.

Exploit

Fix

Relative Path Traversal

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-23CWE-22

Related Identifiers

CVE-2026-25121

GHSA-5G94-C2WX-8PXW

GO-2026-4405

SUSE-SU-2026:0403-1

Affected Products

Apko

CVE-2026-25121

Weakness Enumeration

Related Identifiers

Affected Products

References · 88