Skip to content
Vulnerability intelligence

CVE-2026-50163

ORAS Go and Java SDKs — used by Azure ACR, AWS ECR, Docker Hub, Helm, and Notation — disclosed symlink and hardlink escape flaws that let a malicious artifact write files outside the extraction directory.

2026