CVE-2026-24844

EPSS 0.01%
Veröffentlicht 04.02.2026 19:31:55
Zuletzt bearbeitet 18.02.2026 15:55:43
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Chainguard ≫ Melange SwPlatformgo Version >= 0.3.0 <= 0.40.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.008

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2	6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
security-advisories@github.com	7.9	1.5	5.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2

Patch

Vendor Advisory

https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-24844

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24844

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24844

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-24844