Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted container images.
{ "versions": [ { "introduced": "0.1.3" }, { "fixed": "0.1.8" } ] }
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-5981.json"