CVE-2026-20613

Published: Jan 22, 2026

Modified: Jan 23, 2026

PUBLISHED

Description

The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0.

Vendor	Product	Versions
Apple	Container	affected `unspecified - < 0.7.1`
Apple	Containerization	affected `unspecified - < 0.20.1`

References

https://github.com/apple/containerization/security/advisories/GHSA-cq3j-qj2h-6rv3

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-20613

Description

Affected Products

References