| CVE-2026-29050 |
medium |
— |
5.5 |
1mo ago |
melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses |
|
| CVE-2026-29051 |
low |
— |
2.5 |
1mo ago |
melange has Path Traversal via .PKGINFO in --persist-lint-results |
|
| CVE-2026-29049 |
unknown |
— |
— |
3mo ago |
`melange update-cache` has unbounded HTTP download that can exhaust disk in CI in chainguard.dev/melange |
|
| CVE-2026-25145 |
unknown |
— |
— |
4mo ago |
melange has a path traversal in license-path which allows reading files outside workspace in chainguard.dev/melange |
|
| CVE-2026-25143 |
unknown |
— |
— |
4mo ago |
melange affected by potential host command execution via license-check YAML mode patch pipeline in chainguard.dev/melange |
|
| CVE-2026-24844 |
unknown |
— |
— |
4mo ago |
melange pipeline working-directory could allow command injection in chainguard.dev/melange |
|
| CVE-2026-24843 |
unknown |
— |
— |
4mo ago |
melange QEMU runner could write files outside workspace directory in chainguard.dev/melange |
|
| CVE-2025-54059 |
unknown |
— |
— |
10mo ago |
melange's world-writable permissions expose SBOM files to potential image tampering in chainguard.dev/melange |
|