Go modules package
chainguard.dev/melange
pkg:golang/chainguard.dev/melange
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-29051 | Med | 4.4 | >= 0.32.0, < 0.43.4 | 0.43.4 | Apr 24, 2026 | melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--o | |
| CVE-2026-29050 | Med | 6.1 | >= 0.32.0, < 0.43.4 | 0.43.4 | Apr 24, 2026 | melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set `pip | |
| CVE-2026-29049 | — | <= 0.40.5 | — | Mar 6, 2026 | melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a mel | ||
| CVE-2026-25145 | — | >= 0.14.0, < 0.40.3 | 0.40.3 | Feb 4, 2026 | melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host | ||
| CVE-2026-25143 | — | >= 0.10.0, < 0.40.3 | 0.40.3 | Feb 4, 2026 | melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml | ||
| CVE-2026-24844 | — | >= 0.3.0, < 0.40.3 | 0.40.3 | Feb 4, 2026 | melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.* | ||
| CVE-2026-24843 | — | >= 0.11.3, < 0.40.3 | 0.40.3 | Feb 4, 2026 | melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function ext | ||
| CVE-2025-54059 | Med | 4.4 | >= 0.23.0, < 0.29.5 | 0.29.5 | Jul 18, 2025 | melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a |
- affected >= 0.32.0, < 0.43.4fixed 0.43.4
melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--o
- affected >= 0.32.0, < 0.43.4fixed 0.43.4
melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set `pip
- CVE-2026-29049Mar 6, 2026affected <= 0.40.5
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a mel
- CVE-2026-25145Feb 4, 2026affected >= 0.14.0, < 0.40.3fixed 0.40.3
melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host
- CVE-2026-25143Feb 4, 2026affected >= 0.10.0, < 0.40.3fixed 0.40.3
melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml
- CVE-2026-24844Feb 4, 2026affected >= 0.3.0, < 0.40.3fixed 0.40.3
melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*
- CVE-2026-24843Feb 4, 2026affected >= 0.11.3, < 0.40.3fixed 0.40.3
melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function ext
- affected >= 0.23.0, < 0.29.5fixed 0.29.5
melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a