VYPR
Vendor

Chainguard Dev

Products
3
CVEs
19
Across products
19
Status
Private

Products

3

Recent CVEs

19
  • CVE-2026-42575HigMay 9, 2026
    risk 0.42cvss 7.5epss 0.00

    apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is…

  • CVE-2026-42574HigMay 9, 2026
    risk 0.42cvss 7.5epss 0.00

    apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write…

  • CVE-2024-36127HigJun 3, 2024
    risk 0.42cvss 7.5epss 0.00

    apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5.

  • CVE-2025-53945HigJul 18, 2025
    risk 0.39cvss 7.0epss 0.00

    apko allows users to build and publish OCI container images built from apk packages. Starting in version 0.27.0 and prior to version 0.29.5, critical files were inadvertently set to 0666, which could likely be abused for root escalation. Version 0.29.5 contains a fix for the…

  • CVE-2026-42576MedMay 9, 2026
    risk 0.35cvss 6.5epss 0.00

    apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint…

  • CVE-2026-29050MedApr 24, 2026
    risk 0.33cvss 6.1epss 0.00

    melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set…

  • CVE-2026-29051MedApr 24, 2026
    risk 0.22cvss 4.4epss 0.00

    melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining…

  • CVE-2025-54059MedJul 18, 2025
    risk 0.22cvss 4.4epss 0.00

    melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on…

  • CVE-2026-29049Mar 6, 2026
    risk 0.00cvss epss 0.00

    melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a…

  • CVE-2026-28407Feb 27, 2026
    risk 0.00cvss epss 0.00

    malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior to version 1.21.0, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to…

  • CVE-2026-25145Feb 4, 2026
    risk 0.00cvss epss 0.00

    melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the…

  • CVE-2026-25143Feb 4, 2026
    risk 0.00cvss epss 0.00

    melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml…

  • CVE-2026-24844Feb 4, 2026
    risk 0.00cvss epss 0.00

    melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or…

  • CVE-2026-24843Feb 4, 2026
    risk 0.00cvss epss 0.00

    melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function…

  • CVE-2026-25140Feb 4, 2026
    risk 0.00cvss epss 0.00

    apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in…

  • CVE-2026-25121Feb 4, 2026
    risk 0.00cvss epss 0.00

    apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a…

  • CVE-2026-25122Feb 4, 2026
    risk 0.00cvss epss 0.00

    apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an attacker-controlled input…

  • CVE-2026-24846Jan 29, 2026
    risk 0.00cvss epss 0.00

    malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or…

  • CVE-2026-24845Jan 29, 2026
    risk 0.00cvss epss 0.00

    malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 0.10.0 and prior to version 1.20.3, malcontent could be made to expose Docker registry credentials if it scanned a specially crafted OCI image reference.…