CVE-2026-33748
published 2026-03-27CVE-2026-33748: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient…
PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.46%
36.8th percentile
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | moby_buildkit | >= 0 < 0.28.1 | 0.28.1 |
| moby | buildkit | < 0.28.1 | 0.28.1 |
| mobyproject | buildkit | < 0.28.1 | 0.28.1 |
| ubuntu | docker.io-app | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_ubuntu9.8CRITICAL
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
BuildKit Git URL subdir component can cause access to restricted files in github.com/moby/buildkit
osv·2026-03-27
CVE-2026-33748 BuildKit Git URL subdir component can cause access to restricted files in github.com/moby/buildkit
BuildKit Git URL subdir component can cause access to restricted files in github.com/moby/buildkit
BuildKit Git URL subdir component can cause access to restricted files in github.com/moby/buildkit
OSV
BuildKit Git URL subdir component can cause access to restricted files
osv·2026-03-26
CVE-2026-33748 [HIGH] BuildKit Git URL subdir component can cause access to restricted files
BuildKit Git URL subdir component can cause access to restricted files
### Impact
Insufficient validation of Git URL fragment subdir components (`#:`, [docs](https://docs.docker.com/build/concepts/context/#url-fragments)) may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem.
### Patches
The issue has been fixed in version v0.28.1
### Workarounds
The issue affects only builds that use Git URLs with a subpath component. Avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.
GHSA
BuildKit Git URL subdir component can cause access to restricted files
ghsa·2026-03-26
CVE-2026-33748 [HIGH] CWE-22 BuildKit Git URL subdir component can cause access to restricted files
BuildKit Git URL subdir component can cause access to restricted files
### Impact
Insufficient validation of Git URL fragment subdir components (`#:`, [docs](https://docs.docker.com/build/concepts/context/#url-fragments)) may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem.
### Patches
The issue has been fixed in version v0.28.1
### Workarounds
The issue affects only builds that use Git URLs with a subpath component. Avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.
Ubuntu
Docker vulnerabilities
vendor_ubuntu·2026-05-06·CVSS 9.8
CVE-2026-33748 [CRITICAL] Docker vulnerabilities
Title: Docker vulnerabilities
Summary: Several security issues were fixed in Docker.
It was discovered that BuildKit, contained within Docker, incorrectly
handled file path validation when processing frontend API messages. An
attacker could possibly use this issue to write files outside of the
intended state directory. (CVE-2026-33747)
It was discovered that BuildKit, contained within Docker, incorrectly
validated the subdir component of Git URL fragments. An attacker could
possibly use this issue to access files outside of the checked-out
repository root. (CVE-2026-33748)
Instructions: After a standard system update you need to restart Docker to make all
the necessary changes.
Red Hat
github.com/moby/buildkit: BuildKit: Unauthorized file access via Git URL fragment subdir components
vendor_redhat·2026-03-27·CVSS 8.2
CVE-2026-33748 [HIGH] CWE-22 github.com/moby/buildkit: BuildKit: Unauthorized file access via Git URL fragment subdir components
github.com/moby/buildkit: BuildKit: Unauthorized file access via Git URL fragment subdir components
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.
A flaw was found in BuildKit. Insufficient validatio
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-33748 docker-compose: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
bugzilla·2026-03-30·CVSS 8.2
CVE-2026-33748 [HIGH] CVE-2026-33748 docker-compose: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
CVE-2026-33748 docker-compose: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-f5bc7ff320 (docker-compose-5.1.3-1.fc45) has been submitted as an update to Fedora 45.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-f5bc7ff320
---
FEDORA-2026-f5bc7ff320 (docker-compose-5.1.3-1.fc45) has been pushed to the Fedora 45 stable repository.
If problem still persists, please make note of it in this bug report.
---
FEDORA-2026-645ac72ff4 (docker-compose-5.1.3-1.fc44) has been submitted as an update to Fedora
Bugzilla
CVE-2026-33748 singularity-ce: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
bugzilla·2026-03-30·CVSS 7.5
CVE-2026-33748 [HIGH] CVE-2026-33748 singularity-ce: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
CVE-2026-33748 singularity-ce: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-d32912dc74 (singularity-ce-4.4.2-1.fc45) has been submitted as an update to Fedora 45.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-d32912dc74
---
FEDORA-2026-d32912dc74 (singularity-ce-4.4.2-1.fc45) has been pushed to the Fedora 45 stable repository.
If problem still persists, please make note of it in this bug report.
---
FEDORA-2026-63ae478575 (singularity-ce-4.4.2-1.fc44) has been submitted as an update to Fedora
Bugzilla
CVE-2026-33748 buildah: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
bugzilla·2026-03-30·CVSS 7.5
CVE-2026-33748 [HIGH] CVE-2026-33748 buildah: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
CVE-2026-33748 buildah: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
vulnerable code not used or vendored by buildah.
Bugzilla
CVE-2026-33748 doctl: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
bugzilla·2026-03-30·CVSS 8.2
CVE-2026-33748 [HIGH] CVE-2026-33748 doctl: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
CVE-2026-33748 doctl: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-9a360acefb (doctl-1.154.0-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-9a360acefb
---
FEDORA-2026-9a360acefb has been pushed to the Fedora 44 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-9a360acefb`
You can provide feedback for this update here: https:
Bugzilla
CVE-2026-33748 cri-o1.29: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
bugzilla·2026-03-30·CVSS 8.2
CVE-2026-33748 [HIGH] CVE-2026-33748 cri-o1.29: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
CVE-2026-33748 cri-o1.29: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-33748 podman: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
bugzilla·2026-03-30·CVSS 7.5
CVE-2026-33748 [HIGH] CVE-2026-33748 podman: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
CVE-2026-33748 podman: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
vulnerable code not used or vendored in podman.
Bugzilla
CVE-2026-33748 singularity-ce: BuildKit: Unauthorized file access via Git URL fragment subdir components [epel-all]
bugzilla·2026-03-30·CVSS 7.5
CVE-2026-33748 [HIGH] CVE-2026-33748 singularity-ce: BuildKit: Unauthorized file access via Git URL fragment subdir components [epel-all]
CVE-2026-33748 singularity-ce: BuildKit: Unauthorized file access via Git URL fragment subdir components [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-82e8b5fef4 (singularity-ce-4.4.2-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-82e8b5fef4
---
FEDORA-EPEL-2026-15e8597d17 (singularity-ce-4.4.2-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-15e8597d17
---
FEDORA-EPEL-2026-d9f99fbd40 (singularity-ce-4.4.2-1.el9) has been submi
Bugzilla
CVE-2026-33748 github.com/moby/buildkit: BuildKit: Unauthorized file access via Git URL fragment subdir components
bugzilla·2026-03-27·CVSS 8.2
CVE-2026-33748 [HIGH] CVE-2026-33748 github.com/moby/buildkit: BuildKit: Unauthorized file access via Git URL fragment subdir components
CVE-2026-33748 github.com/moby/buildkit: BuildKit: Unauthorized file access via Git URL fragment subdir components
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.
Wiz
CVE-2026-23992 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-23992 [MEDIUM] CVE-2026-23992 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23992 :
Trivy vulnerability analysis and mitigation
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
Trivy
CBL Mariner
Has Public Exploit No
Has CISA KEV Exploit No
Wiz
CVE-2026-33748 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-33748 [CRITICAL] CVE-2026-33748 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33748 :
Docker vulnerability analysis and mitigation
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.
Source : NVD
## 8.2
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.2
Wiz
CVE-2026-24686 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2026-24686 [MEDIUM] CVE-2026-24686 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24686 :
Trivy vulnerability analysis and mitigation
repoName
repoName
../escaped-repo
LocalMetadataDir
Source : NVD
## 4.7
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
Trivy
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kyverno-policy-reporter-plugins-fips
image-factory-fips
Sources
NVD
Chainguard Has Fix Added at: Jan 28, 2026
Debian 13 Severity MEDIUM No Fix Added at: Jan 27, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Jan 27, 2026
Echo Severity MEDIUM No Fix Added at: Jan 27, 2026
GoLang Severity MEDIUM Has Fix Added at: Jan 27, 202
Wiz
CVE-2025-67499 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2025-67499 [MEDIUM] CVE-2025-67499 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67499 :
Docker vulnerability analysis and mitigation
The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node. Containers that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. This issue is fixed in version 1.9.0. To workaround, configure the portmap plugin to use the iptables backend. It does
Wiz
CVE-2026-24117 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-24117 [MEDIUM] CVE-2026-24117 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24117 :
Datadog Agent vulnerability analysis and mitigation
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false.
Source : NVD
## 5.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technol
Wiz
CVE-2025-22873 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.8
CVE-2025-22873 [LOW] CVE-2025-22873 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-22873 :
Datadog Agent vulnerability analysis and mitigation
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
Source : NVD
## 3.8
Score
Published February 4, 2026
Severity LOW
CNA Score 3.8
Affected Technologies
Datadog Agent
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
container-tools:rhel8::runc
containerd-1
Sources
Alpine 3.1
Wiz
CVE-2025-64702 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-64702 [MEDIUM] CVE-2025-64702 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64702 :
Trivy vulnerability analysis and mitigation
quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.
Source : NVD
## 5.3
Score
Published December 11, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Trivy
Synct
Wiz
CVE-2026-24137 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-24137 [MEDIUM] CVE-2026-24137 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24137 :
Datadog Agent vulnerability analysis and mitigation
sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffecte
Wiz
CVE-2025-15558 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-15558 [HIGH] CVE-2025-15558 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15558 :
Trivy vulnerability analysis and mitigation
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user.
This issue affects Docker CLI: through 29.1.5 and Windows binaries acting as a CLI-plugin manager using the github.com/docker/cli/cli-plugins/manager https://pkg.go.dev/github.com/docker/[email protected]+incompatible/cli-plugins/manager package, such as Docker Compose.
This issue does
Wiz
CVE-2026-33634 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33634 [CRITICAL] CVE-2026-33634 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33634 :
Trivy vulnerability analysis and mitigation
aquasecurity/trivy-action
aquasecurity/setup-trivy
aquasecurity/trivy
aquasecurity/trivy-action
aquasecurity/setup-trivy
aquasecurity/trivy-action
aquasecurity/setup-trivy
tpcp-docs
Source : NVD
## 9.4
Score
Published March 23, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
Trivy
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 95.6
Exploitation Probability (EPSS) 21.2
Affected packages and libraries
cpe:2.3:a:litellm:litellm
github.com/aquasecurity/trivy
Sources
Chainguard No Fix Added at: Mar 29, 2026
GoLang Severity CRITICAL No Fix Added at: Mar 24, 2026
Homebrew Severity HIGH No
Wiz
CVE-2026-23991 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-23991 [MEDIUM] CVE-2026-23991 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23991 :
Trivy vulnerability analysis and mitigation
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
Trivy
CBL Mariner
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Rel
Wiz
CVE-2026-22703 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-22703 [MEDIUM] CVE-2026-22703 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22703 :
Datadog Agent vulnerability analysis and mitigation
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by includin
Wiz
CVE-2026-23831 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-23831 [MEDIUM] CVE-2026-23831 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23831 :
Datadog Agent vulnerability analysis and mitigation
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.
Source : NVD
## 5.3
Score
Pub
Wiz
CVE-2026-33747 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-33747 [CRITICAL] CVE-2026-33747 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33747 :
Docker vulnerability analysis and mitigation
#syntax
--build-arg BUILDKIT_SYNTAX
docker/dockerfile
Source : NVD
## 9.8
Score
Published March 27, 2026
Severity CRITICAL
CNA Score 8.4
Affected Technologies
Docker
Datadog Agent
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
podman-remote
zot
Sources
NVD
Alpine edge Severity CRITICAL Has Fix Added at: Mar 31, 2026
Chainguard Has Fix Added at: Mar 29, 2026
GoLang Severity HIGH Has Fix Added at: Mar 29, 2026
Homebrew Severity CRITICAL Has Fix Added at: Apr 05, 2026
MinimOS Severity CRITICAL Has Fix Added at: Mar 29, 2026
Nix Severity
2026-03-27
Published