CVE-2026-29050

melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set pipeline.uses to a...

PT-2026-34803

Name of the Vulnerable Software and Affected Versions melange versions 0.32.0 through 0.43.3 Description An attacker capable of influencing a configuration file, such as in build-as-a-service or pull-request-driven CI scenarios, can manipulate the pipeline.uses variable to include absolute paths ...

CVE-2026-29049

melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout pkg/renovate/cache/cache.go. An attacker-controlled URI in a melange config can cau...

GO-2026-4412 melange affected by potential host command execution via license-check YAML mode patch pipeline in chainguard.dev/melange

melange affected by potential host command execution via license-check YAML mode patch pipeline in chainguard.dev/melange...

CVE-2026-25145

melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The...

CVE-2026-25145 melange has a path traversal in license-path which allows reading files outside workspace

melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The...

PT-2026-6212

Name of the Vulnerable Software and Affected Versions melange versions 0.3.0 through 0.40.2 Description melange enables users to create apk packages using declarative pipelines. A security issue exists in versions 0.3.0 through 0.40.2 where an attacker with the ability to supply build input value...

melange 安全漏洞

melange is a Chainguard open source for building APKs from source code. A security vulnerability exists in melange versions prior to 0.23.0 through 0.29.5, which stems from improperly set permissions on the SBOM file, which could lead to a tampering attack...

PT-2025-30051 · Melange · Melange

Name of the Vulnerable Software and Affected Versions: melange versions 0.23.0 through 0.29.4 Description: melange allows users to build apk packages using declarative pipelines. SBOM files generated by melange in apks had file system permissions mode 666, potentially allowing an unprivileged use...