CVE-2026-42574
Published: 09 May 2026
Summary
CVE-2026-42574 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28932
Vulnerability details
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent…
more
directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal via malicious .apk archive enables arbitrary host file write during builds, directly facilitating malicious file processing and supply chain attacks on build tools.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.