3 matches found
CVE-2026-28407
CVE-2026-28407 affects malcontent (software for supply‑chain analysis). Prior to version 1.21.0, it could drop or discard nested archives that failed to extract, potentially omitting content from scans. The root cause is the removal of nested archives during processing. Version 1.21.0 fixes the i...
CVE-2026-24845
CVE-2026-24845 affects the malcontent tool. The advisory describes that versions prior to 1.20.3 (starting with 0.10.0) could exfiltrate Docker registry credentials when scanning certain OCI image references. The vulnerability stems from malcontent using google/go-containerregistry for OCI image ...
CVE-2026-24846
CVE-2026-24846 affects the malcontent project. In versions 1.8.0 through 1.20.3, the archive extraction logic could be coerced into creating symlinks outside the intended extraction directory due to the handleSymlink function receiving arguments in the wrong order and lack of validation of symlin...