EUVD-2026-34197

PackagePersister.validatetgz builds "tar -tf tgz 2&1" where tgz = File.joinreleasedir, 'packages', "name.tgz" and name = packagemeta'name' comes directly from release.MF inside the uploaded tarball. The string is passed to Bosh::Common::Exec.sh, which executes via %x — i.e., /bin/sh -c. No...

melange has Path Traversal via .PKGINFO in --persist-lint-results

Impact melange lint --persist-lint-results opt-in flag, also usable via melange build --persist-lint-results constructs output file paths by joining --out-dir with the arch and pkgname values read from the .PKGINFO control file of the APK being linted. In affected versions these values were not...

CVE-2022-28783

CVE-2022-28783 concerns Galaxy Themes prior to Samsung SMR May-2022 Release 1, where improper validation allowed uninstalling arbitrary packages without permission. The description in multiple sources confirms the root cause as insufficient validation for removing a package name, enabling unautho...

CVE-2018-9142

On Samsung mobile devices with N7.x software, attackers can install an arbitrary APK in the Secure Folder SD Card area because of faulty validation of a package signature and package name, aka SVE-2017-10932...