CVE-2026-24844

Published: Feb 4, 2026Modified: Feb 18, 2026

8.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.0 / Impact: 6.0

Source: NVD

Description

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.

Affected (1)

Products: Chainguard: Melange

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Chainguard Melange	From 0.3.0 to 0.40.5

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8

Source: security-advisories@github.com

Patch

https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2

Source: security-advisories@github.com

PatchVendor Advisory

Timeline

No history available yet.