Cyber Posture

CVE-2026-42574

High

Published: 09 May 2026

Published
09 May 2026
Modified
09 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0005 15.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42574 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation
addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

NVD Description

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent…

more

directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-22CWE-59

Affected Products

From
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-41433Shared CWE-22, CWE-59
CVE-2026-24842Shared CWE-22, CWE-59
CVE-2026-44340Shared CWE-22, CWE-59
CVE-2026-33748Shared CWE-22, CWE-59
CVE-2026-34603Shared CWE-22, CWE-59
CVE-2026-34604Shared CWE-22, CWE-59
CVE-2026-6941Shared CWE-22, CWE-59
CVE-2024-57728Shared CWE-22, CWE-59
CVE-2026-24046Shared CWE-22, CWE-59
CVE-2024-12905Shared CWE-22, CWE-59

References