chainguard.dev/apko (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package chainguard.dev/apko, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (8)
CVE-2024-36127 — CVSS 7.5 (high): apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This…
CVE-2026-25140 — CVSS 7.5 (high): apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who…
CVE-2026-42574 — CVSS 7.5 (high): apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted…
CVE-2026-42575 — CVSS 7.5 (high): apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on…
CVE-2026-25121 — CVSS 7.5 (high): apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal…
CVE-2025-53945 — CVSS 7.0 (high): apko allows users to build and publish OCI container images built from apk packages. Starting in version 0.27.0 and prior to version…
CVE-2026-42576 — CVSS 6.5 (medium): apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in…
CVE-2026-25122 — CVSS 5.5 (medium): apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split…