CVE-2026-24844

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses $vars. or $inputs. substitutions in...

melange pipeline working-directory could allow command injection

An attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses $vars. or $inputs. substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. Fix: Fixed with e51ca30c,...

CVE-2025-30196

Jenkins AnchorChain Plugin 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the javascript: scheme, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step...

PT-2022-18853 · Jenkins · Jenkins Coverage/Complexity Scatter Plot Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Coverage/Complexity Scatter Plot Plugin versions 1.1.1 and earlier Description: The issue allows attackers to control input files for the 'Public Coverage / Complexity Scatter Plot' post-build step, enabling them to have Jenkins parse...

PT-2020-15322 · Jenkins · Jenkins Junit Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins NUnit Plugin versions 0.25 and earlier Description: The issue allows a user who can control the input files for the post-build step to have Jenkins parse a crafted file that uses external entities. This can lead to extraction of secre...