cvedb.io
CVE-2026-20613
HIGH · CVSS 7.8
EPSS exploitation probability: 0%
Published 2026-01-23T00:15:52.283 · Last modified 2026-06-17T10:17:31.753

Summary

The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0.

Affected products

apple — container

Does this affect you?

Add your gear to cvedb and we'll alert you only when apple ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.