{"vulnerability": "CVE-2026-42575", "sightings": [{"uuid": "a2fc4ba7-baa8-4a96-a776-6003f61e13c8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42575", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mlh5dmifud2f", "content": "\ud83d\udfe0 CVE-2026-42575 - High (7.5)\n\napko allows users to build and publish OCI container images built from apk packages. Prior to ver...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42575/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-09T21:02:02.659621Z"}, {"uuid": "60309095-0f13-47e6-8e4c-512011d0e6fd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42575", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlh6woiu5p2p", "content": "CVE-2026-42575 - apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)\nCVE ID : CVE-2026-42575\n \n Published : May 9, 2026, 8:16 p.m. | 33\u00a0minutes ago\n \n Description : apko allows users to build and publish OCI container images bu...", "creation_timestamp": "2026-05-09T21:30:35.487980Z"}, {"uuid": "fdedbfcf-f32e-4cf9-b213-224281bcd3c6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42575", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116548044393536365", "content": "\u26a0\ufe0f HIGH severity: chainguard-dev apko (<1.2.7) doesn't verify downloaded .apk checksums vs signed index. Attackers can inject rogue packages into OCI images if download sources are compromised. Patch: upgrade to 1.2.7. CVE-2026-42575 https://radar.offseq.com/threat/cve-2026-42575-cwe-345-insufficient-verification-o-918c9a44 #OffSeq #ContainerSecurity", "creation_timestamp": "2026-05-10T03:00:27.075159Z"}, {"uuid": "97b96810-a9c8-417b-99d1-4df9378e18cb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42575", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mlhreji2nc2l", "content": "HIGH severity: chainguard-dev apko (<1.2.7) skips verifying .apk checksums, risking rogue package injection if downloads are tampered. Upgrade to 1.2.7 now! https://radar.offseq.com/threat/cve-2026-42575-cwe-345-insufficient-verification-o-918c9a44 #OffSeq #ContainerSecurity", "creation_timestamp": "2026-05-10T03:00:31.650581Z"}]}