These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-42576 is a denial-of-service vulnerability in apko caused by an unchecked key-type assertion during repository key discovery. If apko processes a JWKS response that contains a non-RSA key, the process can panic and crash. The issue is fixed in apko version 1.2.7.
CVE-2026-42575 is an integrity flaw in apko that can let altered .apk packages be accepted into OCI images if an attacker can tamper with package downloads. The issue is fixed in apko 1.2.7.
CVE-2026-42574 is a high-severity path traversal / symlink traversal issue in apko, the tool used to build and publish OCI container images from apk packages. A crafted .apk can create a TypeSymlink entry that points outside the build root, and a later directory-creation or file-write entry can follow that symlink to reach host paths the build user can write to. The issue is fixed in apko 1.2.5.