malcontent 安全漏洞

Malcontent is a supply chain attack detection tool developed by Chainguard. Malcontent has a security vulnerability, which stems from the RecordUsage D-Bus method allowing arbitrary users to slowly fill the disk space in the /var/lib/malcontent-timerd directory...

Resources Downloaded over Insecure Protocol

Overview Affected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol in the getPackageImpl process. An attacker can introduce unauthorized packages into built images by substituting download responses from a compromised mirror, HTTP repository, or poisoned CDN...

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack through the DirFS process. An attacker can gain unauthorized access to files outside the intended build root by crafting a malicious archive containing a symlink entry that points outside the build root, followed by...

melange 路径遍历漏洞

Melange is a software developed by Chainguard for building APKs from source code. Versions of Melange from 0.32.0 to 0.43.4 had a path traversal vulnerability. This vulnerability stemmed from insufficient validation of the arch and pkgname parameters, allowing attackers to write arbitrary JSON...

⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More

Some weeks are loud. This one was quieter but not in a good way. Long-running operations are finally hitting courtrooms, old attack methods are showing up in new places, and research that stopped being theoretical right around the time defenders stopped paying attention. There's a bit of everythi...

GO-2026-4577 malcontent: Nested archive extraction failure can drop content from scan inputs in github.com/chainguard-dev/malcontent

malcontent: Nested archive extraction failure can drop content from scan inputs in github.com/chainguard-dev/malcontent...

malcontent 安全漏洞

Malcontent is a supply chain attack detection tool developed by Chainguard. Versions of Malcontent prior to 1.21.0 contained a security vulnerability. This vulnerability stemmed from the deletion of nested archives that failed to extract data, potentially leaving malicious content behind...

GO-2026-4412 melange affected by potential host command execution via license-check YAML mode patch pipeline in chainguard.dev/melange

melange affected by potential host command execution via license-check YAML mode patch pipeline in chainguard.dev/melange...

GO-2026-4408 melange pipeline working-directory could allow command injection in chainguard.dev/melange

melange pipeline working-directory could allow command injection in chainguard.dev/melange...

GO-2026-4405 apko has a path traversal in apko dirFS which allows filesystem writes outside base in chainguard.dev/apko

apko has a path traversal in apko dirFS which allows filesystem writes outside base in chainguard.dev/apko...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the ExpandApk function. An attacker can cause excessive resource consumption by providing a specially crafted, highly-compressed .apk stream that decompresses into a large tar...

melange 操作系统命令注入漏洞

Melange is a software developed by Chainguard for building APKs from source code. Versions of Melange prior to 0.40.3 contained a vulnerability related to operating system command injection. This vulnerability stemmed from improper escaping of variables in the working directory field, which could...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Split function. An attacker can cause excessive CPU consumption and resource exhaustion by supplying a malicious APK stream that triggers unbounded gzip inflation. Remediation...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Split function. An attacker can cause excessive CPU consumption and resource exhaustion by supplying a malicious APK stream that triggers unbounded gzip inflation. Remediation...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Split function. An attacker can cause excessive CPU consumption and resource exhaustion by supplying a malicious APK stream that triggers unbounded gzip inflation. Remediation...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the working-directory field when user-supplied input is embedded into shell scripts without proper quote escaping. An attacker can execute arbitrary shell commands by providing crafted build input values that are...

GO-2026-4391 malcontent vulnerable to symlink Path Traversal via handleSymlink argument confusion in archive extraction in github.com/chainguard-dev/malcontent

malcontent vulnerable to symlink Path Traversal via handleSymlink argument confusion in archive extraction in github.com/chainguard-dev/malcontent...

Malcontent security vulnerabilities

Malcontent is a supply chain attack detection tool developed by Chainguard. Versions of Malcontent prior to 1.20.3 contained a security vulnerability. This vulnerability stemmed from the possibility of creating symbolic links outside of the expected extraction directories when scanning specially...

Improper File Permissions

chainguard.dev/melange is vulnerable to improper file permissions. The vulnerability is due to SBOM files in APKs being generated with file system permissions mode 666, which allows an attacker to tamper with the SBOMs...

Incorrect Default Permissions

Overview Affected versions of this package are vulnerable to Incorrect Default Permissions via the updateCache function in the buildimplementation.go file. An attacker can gain unauthorized access to modify critical system files by exploiting overly permissive file permissions. Remediation Upgrad...