Is github.com/chainguard-dev/kaniko affected by CVE-2026-28406?

Go github.com/chainguard-dev/kaniko is affected in >=1.25.4 <1.25.10.

Is CVE-2026-28406 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

medium

CVE-2026-28406

Q: Is CVE-2026-28406 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

Go · github.com/chainguard-dev/kaniko

Summary

kaniko has tar archive path traversal in its build context extraction, allowing file writes outside destination directories in github.com/chainguard-dev/kaniko

Severity: medium
EPSS: 0.6% (p42)
Also known as: GHSA-6rxq-q92g-4rmf, GO-2026-4580
Published: 2026-03-10

References

https://github.com/chainguard-forks/kaniko/security/advisories/GHSA-6rxq-q92g-4rmf
https://nvd.nist.gov/vuln/detail/CVE-2026-28406
https://github.com/chainguard-forks/kaniko/commit/a370e4b1f66e6e842b685c8f70ed507964c4b221

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.