CVE-2026-25145
- EPSS 0%
- Veröffentlicht 04.02.2026 19:32:35
- Zuletzt bearbeitet 18.02.2026 15:53:58
melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read...
CVE-2026-25143
- EPSS 0.01%
- Veröffentlicht 04.02.2026 19:32:17
- Zuletzt bearbeitet 18.02.2026 15:55:19
melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in p...
CVE-2026-24844
- EPSS 0.01%
- Veröffentlicht 04.02.2026 19:31:55
- Zuletzt bearbeitet 18.02.2026 15:55:43
melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline u...
CVE-2026-24843
- EPSS 0.01%
- Veröffentlicht 04.02.2026 19:31:35
- Zuletzt bearbeitet 18.02.2026 15:57:38
melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The ...