VYPR
Low severityOSV Advisory· Published Jan 22, 2026· Updated Jan 23, 2026

CVE-2026-20613

CVE-2026-20613

Description

The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/apple/containerizationSwiftURL
< 0.21.00.21.0
github.com/apple/containerSwiftURL
< 0.8.00.8.0

Affected products

3

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.