All 8 CVE vulnerabilities found in melange, with AI-generated Chinese analysis, references, and POCs.
Vendor: chainguard-dev
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-29051 | melange has Path Traversal via .PKGINFO in --persist-lint-results CWE-22 | 4.4 | Medium | 2026-04-24 |
| CVE-2026-29050 | melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses CWE-22 | 6.1 | Medium | 2026-04-23 |
| CVE-2026-29049 | melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI CWE-400 | 4.3 | Medium | 2026-03-06 |
| CVE-2026-25145 | melange has a path traversal in license-path which allows reading files outside workspace CWE-22 | 5.5 | Medium | 2026-02-04 |
| CVE-2026-25143 | melange affected by potential host command execution via license-check YAML mode patch pipeline CWE-78 | 7.8 | High | 2026-02-04 |
| CVE-2026-24844 | melange pipeline working-directory could allow command injection CWE-78 | 7.8 | High | 2026-02-04 |
| CVE-2026-24843 | melange QEMU runner could write files outside workspace directory CWE-22 | 8.2 | High | 2026-02-04 |
| CVE-2025-54059 | melange creates SBOM files in APKs with world-writable permissions CWE-276 | 4.4 | Medium | 2025-07-18 |
All 8 known CVE vulnerabilities affecting melange with full Chinese analysis, references, and POCs where available.