8.8
CVE-2026-24844
- EPSS 0.18%
- Veröffentlicht 04.02.2026 19:31:55
- Zuletzt bearbeitet 18.02.2026 15:55:43
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginmelange pipeline working-directory could allow command injection
melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Chainguard ≫ Melange SwPlatformgo Version >= 0.3.0 <= 0.40.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.18% | 0.072 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2 | 6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
| security-advisories@github.com | 7.9 | 1.5 | 5.8 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2
https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8