CVE-2026-29049
- EPSS 0.04%
- Veröffentlicht 06.03.2026 07:16:02
- Zuletzt bearbeitet 10.03.2026 19:28:57
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An at...
CVE-2026-25145
- EPSS 0%
- Veröffentlicht 04.02.2026 19:32:35
- Zuletzt bearbeitet 18.02.2026 15:53:58
melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read...
CVE-2026-25143
- EPSS 0.01%
- Veröffentlicht 04.02.2026 19:32:17
- Zuletzt bearbeitet 18.02.2026 15:55:19
melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in p...
CVE-2026-24844
- EPSS 0.01%
- Veröffentlicht 04.02.2026 19:31:55
- Zuletzt bearbeitet 18.02.2026 15:55:43
melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline u...
CVE-2026-24843
- EPSS 0.01%
- Veröffentlicht 04.02.2026 19:31:35
- Zuletzt bearbeitet 18.02.2026 15:57:38
melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The ...