CVE-2026-24844

High CVSS: 7.9

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.

Vendor

Chainguard

Product

Melange

CWE

CWE-78

Yayın Tarihi

2026-02-04 20:16:05

Güncelleme

2026-02-18 15:55:43

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-78 Melange HIGH Chainguard 2026

Referanslar

https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8 https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2

Benzer Kayıtlar

Medium

CVE-2026-29049

melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cach…

High

CVE-2026-28406

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in vers…

Medium

CVE-2026-28407

malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior…

High

CVE-2026-25143

melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacke…

Medium

CVE-2026-25145

melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacke…

High

CVE-2026-24843

melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker…