Cyber Resilience

CVE-2026-42574

High

Published: 09 May 2026

Published
09 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0007 22.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42574 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent…

more

directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Path traversal via malicious .apk archive enables arbitrary host file write during builds, directly facilitating malicious file processing and supply chain attacks on build tools.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27704Shared CWE-22
CVE-2026-44340Shared CWE-22, CWE-59
CVE-2026-24842Shared CWE-22, CWE-59
CVE-2026-6941Shared CWE-22, CWE-59
CVE-2026-39307Shared CWE-22
CVE-2024-57728Shared CWE-22, CWE-59
CVE-2026-27606Shared CWE-22
CVE-2026-33748Shared CWE-22, CWE-59
CVE-2024-12905Shared CWE-22, CWE-59
CVE-2026-34603Shared CWE-22, CWE-59

Affected Assets

From
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References