PatchSiren

oras-project CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM oras-project CVE published 2026-07-17

CVE-2026-50162

The CVE record for CVE-2026-50162 was published on 2026-07-17T20:17:23.817Z and has not been modified since then. The NVD entry is currently 6.9 MEDIUM. This vulnerability affects the oras-go library, used for managing OCI artifacts, and involves a path traversal issue prior to version 2.6.1. The vulnerability allows an attacker to create files outside the working directory due to insufficient symlink tra [truncated]

HIGH oras-project CVE published 2026-07-17

CVE-2026-50151

The oras-go library vulnerability CVE-2026-50151 allows a malicious registry to receive caller credentials during monolithic blob upload. This issue is fixed in version 2.6.1. The vulnerability is caused by the blobStore.completePushAfterInitialPost function following a registry-controlled Location header during monolithic blob upload and reusing the Authorization header from the initial POST request for [truncated]