Product
Apko versions prior to 1.2.7 are vulnerable to package substitution due to not verifying downloaded apk packages against the APKINDEX checksum, potentially allowing an attacker who can substitute download responses to install arbitrary packages into built images.