Low severityOSV Advisory· Published Jan 22, 2026· Updated Jan 23, 2026
CVE-2026-20613
CVE-2026-20613
Description
The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/apple/containerizationSwiftURL | < 0.21.0 | 0.21.0 |
github.com/apple/containerSwiftURL | < 0.8.0 | 0.8.0 |
Affected products
3- Range: 0.1.0, 0.1.1, 0.10.0, …
- ghsa-coords2 versions
< 0.8.0+ 1 more
- (no CPE)range: < 0.8.0
- (no CPE)range: < 0.21.0
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.