apk package

chainguard/kaniko

pkg:apk/chainguard/kaniko

Vulnerabilities (50)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-45571		—	< 1.25.15-r1	1.25.15-r1	May 19, 2026	### Impact A path validation issue in `go-git` could allow crafted repository data to affect files outside the intended checkout target, including the repository's `.git` directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-g
CVE-2026-45570	low	—	< 1.25.15-r1	1.25.15-r1	May 19, 2026	### Impact `go-git`'s SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through `sq_quote_buf` so that an embedd
CVE-2026-45022	hig	—	< 1.25.14-r2	1.25.14-r2	May 11, 2026	### Impact `go-git` may parse malformed Git objects in a way that differs from upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, `go-git`’s decoded representation may expose values differently from how Git itself would interpret or reject the sa
CVE-2026-41506	Med	4.7	< 1.25.13-r1	1.25.13-r1	May 8, 2026	go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0
CVE-2026-39883	Hig	7.0	< 1.25.12-r5	1.25.12-r5	Apr 8, 2026	OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
CVE-2026-34986	Hig	7.5	< 1.25.12-r2	1.25.12-r2	Apr 6, 2026	Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
CVE-2026-34165	Med	5.0	< 1.25.12-r3	1.25.12-r3	Mar 31, 2026	go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re
CVE-2026-33762	Low	2.8	< 1.25.12-r3	1.25.12-r3	Mar 31, 2026	go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can t
CVE-2026-33748	Hig	7.5	< 1.25.12-r1	1.25.12-r1	Mar 27, 2026	BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Pos
CVE-2026-33747	Hig	8.4	< 1.25.12-r1	1.25.12-r1	Mar 27, 2026	BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit sta
CVE-2026-27142	Med	6.1	< 1.25.11-r1	1.25.11-r1	Mar 6, 2026	Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
CVE-2026-27139	Low	2.5	< 1.25.11-r1	1.25.11-r1	Mar 6, 2026	On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
CVE-2026-25679	Hig	7.5	< 1.25.11-r1	1.25.11-r1	Mar 6, 2026	url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVE-2026-24051		—	< 1.25.10-r1	1.25.10-r1	Feb 2, 2026	OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman
CVE-2025-64329		—	< 1.25.4-r0	1.25.4-r0	Nov 7, 2025	containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks
CVE-2024-25621		—	< 1.25.4-r0	1.25.4-r0	Nov 6, 2025	containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd
CVE-2025-47907		—	< 1.25.1-r2	1.25.1-r2	Aug 7, 2025	Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
CVE-2025-22872	Med	6.5	< 1.23.2-r17	1.23.2-r17	Apr 16, 2025	The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-22871	Cri	9.1	< 1.23.2-r16	1.23.2-r16	Apr 8, 2025	The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
CVE-2025-30204	Hig	7.5	< 1.23.2-r15	1.23.2-r15	Mar 21, 2025	golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou

CVE-2026-45571May 19, 2026
affected < 1.25.15-r1fixed 1.25.15-r1
### Impact A path validation issue in `go-git` could allow crafted repository data to affect files outside the intended checkout target, including the repository's `.git` directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-g
CVE-2026-45570lowMay 19, 2026
affected < 1.25.15-r1fixed 1.25.15-r1
### Impact `go-git`'s SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through `sq_quote_buf` so that an embedd
CVE-2026-45022higMay 11, 2026
affected < 1.25.14-r2fixed 1.25.14-r2
### Impact `go-git` may parse malformed Git objects in a way that differs from upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, `go-git`’s decoded representation may expose values differently from how Git itself would interpret or reject the sa
CVE-2026-41506MedMay 8, 2026
affected < 1.25.13-r1fixed 1.25.13-r1
go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0
CVE-2026-39883HigApr 8, 2026
affected < 1.25.12-r5fixed 1.25.12-r5
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
CVE-2026-34986HigApr 6, 2026
affected < 1.25.12-r2fixed 1.25.12-r2
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
CVE-2026-34165MedMar 31, 2026
affected < 1.25.12-r3fixed 1.25.12-r3
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re
CVE-2026-33762LowMar 31, 2026
affected < 1.25.12-r3fixed 1.25.12-r3
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can t
CVE-2026-33748HigMar 27, 2026
affected < 1.25.12-r1fixed 1.25.12-r1
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Pos
CVE-2026-33747HigMar 27, 2026
affected < 1.25.12-r1fixed 1.25.12-r1
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit sta
CVE-2026-27142MedMar 6, 2026
affected < 1.25.11-r1fixed 1.25.11-r1
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
CVE-2026-27139LowMar 6, 2026
affected < 1.25.11-r1fixed 1.25.11-r1
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
CVE-2026-25679HigMar 6, 2026
affected < 1.25.11-r1fixed 1.25.11-r1
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVE-2026-24051Feb 2, 2026
affected < 1.25.10-r1fixed 1.25.10-r1
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman
CVE-2025-64329Nov 7, 2025
affected < 1.25.4-r0fixed 1.25.4-r0
containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks
CVE-2024-25621Nov 6, 2025
affected < 1.25.4-r0fixed 1.25.4-r0
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd
CVE-2025-47907Aug 7, 2025
affected < 1.25.1-r2fixed 1.25.1-r2
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
CVE-2025-22872MedApr 16, 2025
affected < 1.23.2-r17fixed 1.23.2-r17
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-22871CriApr 8, 2025
affected < 1.23.2-r16fixed 1.23.2-r16
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
CVE-2025-30204HigMar 21, 2025
affected < 1.23.2-r15fixed 1.23.2-r15
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou

Page 1 of 3