17 matches found
EUVD-2026-11570
melange affected by potential host command execution via license-check YAML mode patch pipeline...
SUSE CVE-2026-25143
melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds...
CVE-2026-25143
melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds...
GO-2026-4412 melange affected by potential host command execution via license-check YAML mode patch pipeline in chainguard.dev/melange
melange affected by potential host command execution via license-check YAML mode patch pipeline in chainguard.dev/melange...
CVE-2026-25143
melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds...
CVE-2026-25143 melange affected by potential host command execution via license-check YAML mode patch pipeline
melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds...
CVE-2026-25143 melange affected by potential host command execution via license-check YAML mode patch pipeline
melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds...
CVE-2026-25143
CVE-2026-25143 affects the melange build system. The built-in patch pipeline (pkg/build/pipelines/patch.yaml) accepts patch-related inputs and embeds them into shell scripts without proper quoting or validation, enabling shell metacharacters to escape the intended context. An attacker who can inf...
EUVD-2026-5371
melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds...
CVE-2026-25143
melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds...
CVE-2026-25143 melange affected by potential host command execution via license-check YAML mode patch pipeline
melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds...
GHSA-RF4G-89H5-CRCR melange affected by potential host command execution via license-check YAML mode patch pipeline
An attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values series paths, patch filenames, and numeric parameters into shell scripts without proper quoting or...
melange affected by potential host command execution via license-check YAML mode patch pipeline
An attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values series paths, patch filenames, and numeric parameters into shell scripts without proper quoting or...
PT-2026-6475
An attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values series paths, patch filenames, and numeric parameters into shell scripts without proper quoting or...
melange affected by potential host command execution via license-check YAML mode patch pipeline
An attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values series paths, patch filenames, and numeric parameters into shell scripts without proper quoting or...
melange 操作系统命令注入漏洞
Melange is a software developed by Chainguard for building APKs from source code. Versions of Melange from 0.10.0 to 0.40.3 had an operating system command injection vulnerability. This vulnerability stemmed from the patch pipeline incorrectly referencing or verifying input-derived values when...
PT-2026-6271
Name of the Vulnerable Software and Affected Versions melange versions 0.10.0 through 0.40.2 Description melange enables users to construct APK packages utilizing declarative pipelines. A flaw exists in versions 0.10.0 up to, but not including, 0.40.3 where an attacker capable of manipulating...