14 matches found
SUSE CVE-2026-25145
melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The...
GO-2026-4409 melange has a path traversal in license-path which allows reading files outside workspace in chainguard.dev/melange
melange has a path traversal in license-path which allows reading files outside workspace in chainguard.dev/melange...
CVE-2026-25145 melange has a path traversal in license-path which allows reading files outside workspace
melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The...
CVE-2026-25145 melange has a path traversal in license-path which allows reading files outside workspace
melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The...
CVE-2026-25145 melange has a path traversal in license-path which allows reading files outside workspace
melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The...
CVE-2026-25145
In melange, a path traversal vulnerability exists in LicensingInfos (pkg/config/config.go) where license-path is not validated to stay within the workspace. From version 0.14.0 up to before 0.40.3, an attacker who can influence a melange config (e.g., PR-driven CI or build‑as‑a‑service) could rea...
CVE-2026-25145
melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The...
EUVD-2026-5370
melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The...
GHSA-2W4F-9FGG-Q2V9 melange has a path traversal in license-path which allows reading files outside workspace
An attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright.license-path without...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the LicensingInfos function, which reads license files specified in the copyright.license-path field without validating that paths remain within the workspace directory. An attacker can access and exfiltrate...
melange has a path traversal in license-path which allows reading files outside workspace
An attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright.license-path without...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the LicensingInfos function, which reads license files specified in the copyright.license-path field without validating that paths remain within the workspace directory. An attacker can access and exfiltrate...
PT-2026-6349
An attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright.license-path without...
melange has a path traversal in license-path which allows reading files outside workspace
An attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright.license-path without...