apk package

chainguard/wolfictl

pkg:apk/chainguard/wolfictl

Vulnerabilities (59)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-45571		—	< 0.39.16-r1	0.39.16-r1	May 19, 2026	### Impact A path validation issue in `go-git` could allow crafted repository data to affect files outside the intended checkout target, including the repository's `.git` directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-g
CVE-2026-45570	low	—	< 0.39.16-r1	0.39.16-r1	May 19, 2026	### Impact `go-git`'s SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through `sq_quote_buf` so that an embedd
CVE-2026-45022	hig	—	< 0.39.15-r1	0.39.15-r1	May 11, 2026	### Impact `go-git` may parse malformed Git objects in a way that differs from upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, `go-git`’s decoded representation may expose values differently from how Git itself would interpret or reject the sa
CVE-2026-41506	Med	4.7	< 0.39.10-r1	0.39.10-r1	May 8, 2026	go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0
CVE-2026-4660	Hig	7.5	< 0.39.10-r0	0.39.10-r0	Apr 9, 2026	HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branc
CVE-2026-39883	Hig	7.0	< 0.39.8-r2	0.39.8-r2	Apr 8, 2026	OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
CVE-2026-34986	Hig	7.5	< 0.39.7-r5	0.39.7-r5	Apr 6, 2026	Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
CVE-2026-34165	Med	5.0	< 0.39.7-r1	0.39.7-r1	Mar 31, 2026	go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re
CVE-2026-33762	Low	2.8	< 0.39.7-r1	0.39.7-r1	Mar 31, 2026	go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can t
CVE-2026-34040	Hig	8.8	< 0.39.6-r2	0.39.6-r2	Mar 31, 2026	Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
CVE-2026-33997	Med	6.8	< 0.39.6-r2	0.39.6-r2	Mar 31, 2026	Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorre
CVE-2026-33481	Med	5.3	< 0.39.6-r1	0.39.6-r1	Mar 26, 2026	Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syf
CVE-2026-33186	Cri	9.1	< 0.39.5-r2	0.39.5-r2	Mar 20, 2026	gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
CVE-2026-27141	Hig	7.5	< 0.39.3-r1	0.39.3-r1	Feb 26, 2026	Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
CVE-2026-1229		—	< 0.39.2-r1	0.39.2-r1	Feb 24, 2026	The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
CVE-2026-26958	Low	—	< 0.39.1-r1	0.39.1-r1	Feb 19, 2026	filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Poin
CVE-2026-25934		—	< 0.39.0-r3	0.39.0-r3	Feb 9, 2026	go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files,
CVE-2025-68121	Cri	10.0	< 0.39.0-r2	0.39.0-r2	Feb 5, 2026	During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
CVE-2025-61732		—	< 0.39.0-r2	0.39.0-r2	Feb 5, 2026	A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
CVE-2026-25145		—	< 0.39.0-r1	0.39.0-r1	Feb 4, 2026	melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host

CVE-2026-45571May 19, 2026
affected < 0.39.16-r1fixed 0.39.16-r1
### Impact A path validation issue in `go-git` could allow crafted repository data to affect files outside the intended checkout target, including the repository's `.git` directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-g
CVE-2026-45570lowMay 19, 2026
affected < 0.39.16-r1fixed 0.39.16-r1
### Impact `go-git`'s SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through `sq_quote_buf` so that an embedd
CVE-2026-45022higMay 11, 2026
affected < 0.39.15-r1fixed 0.39.15-r1
### Impact `go-git` may parse malformed Git objects in a way that differs from upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, `go-git`’s decoded representation may expose values differently from how Git itself would interpret or reject the sa
CVE-2026-41506MedMay 8, 2026
affected < 0.39.10-r1fixed 0.39.10-r1
go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0
CVE-2026-4660HigApr 9, 2026
affected < 0.39.10-r0fixed 0.39.10-r0
HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branc
CVE-2026-39883HigApr 8, 2026
affected < 0.39.8-r2fixed 0.39.8-r2
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
CVE-2026-34986HigApr 6, 2026
affected < 0.39.7-r5fixed 0.39.7-r5
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
CVE-2026-34165MedMar 31, 2026
affected < 0.39.7-r1fixed 0.39.7-r1
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re
CVE-2026-33762LowMar 31, 2026
affected < 0.39.7-r1fixed 0.39.7-r1
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can t
CVE-2026-34040HigMar 31, 2026
affected < 0.39.6-r2fixed 0.39.6-r2
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
CVE-2026-33997MedMar 31, 2026
affected < 0.39.6-r2fixed 0.39.6-r2
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorre
CVE-2026-33481MedMar 26, 2026
affected < 0.39.6-r1fixed 0.39.6-r1
Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syf
CVE-2026-33186CriMar 20, 2026
affected < 0.39.5-r2fixed 0.39.5-r2
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
CVE-2026-27141HigFeb 26, 2026
affected < 0.39.3-r1fixed 0.39.3-r1
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
CVE-2026-1229Feb 24, 2026
affected < 0.39.2-r1fixed 0.39.2-r1
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
CVE-2026-26958LowFeb 19, 2026
affected < 0.39.1-r1fixed 0.39.1-r1
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Poin
CVE-2026-25934Feb 9, 2026
affected < 0.39.0-r3fixed 0.39.0-r3
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files,
CVE-2025-68121CriFeb 5, 2026
affected < 0.39.0-r2fixed 0.39.0-r2
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
CVE-2025-61732Feb 5, 2026
affected < 0.39.0-r2fixed 0.39.0-r2
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
CVE-2026-25145Feb 4, 2026
affected < 0.39.0-r1fixed 0.39.0-r1
melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host

Page 1 of 3