pkg:Go/chainguard.dev/melange
14 total CVEsHIGH6MEDIUM7LOW1
✅ Check your installed version
All known vulnerabilities
- HIGH8.2CVE-2026-24843melange QEMU runner could write files outside workspace directory in chainguard.dev/melange>= 0.11.3, < 0.40.3
- HIGH8.2CVE-2026-24843melange QEMU runner could write files outside workspace directory in chainguard.dev/melange>= 0.11.3, < 0.40.3
- HIGH7.9CVE-2026-24844melange pipeline working-directory could allow command injection in chainguard.dev/melange>= 0.3.0, < 0.40.3
- HIGH7.9CVE-2026-24844melange pipeline working-directory could allow command injection in chainguard.dev/melange>= 0.3.0, < 0.40.3
- HIGH7.8CVE-2026-25143melange affected by potential host command execution via license-check YAML mode patch pipeline in chainguard.dev/melange>= 0.10.0, < 0.40.3
- HIGH7.8CVE-2026-25143melange affected by potential host command execution via license-check YAML mode patch pipeline in chainguard.dev/melange>= 0.10.0, < 0.40.3
- MEDIUM6.1CVE-2026-29050melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses>= 0.32.0, < 0.43.4
- MEDIUM5.5CVE-2026-25145melange has a path traversal in license-path which allows reading files outside workspace in chainguard.dev/melange>= 0.14.0, < 0.40.3
- MEDIUM5.5CVE-2026-25145melange has a path traversal in license-path which allows reading files outside workspace in chainguard.dev/melange>= 0.14.0, < 0.40.3
- MEDIUM4.4CVE-2025-54059melange's world-writable permissions expose SBOM files to potential image tampering in chainguard.dev/melange>= 0.23.0, < 0.29.5
- MEDIUM4.4CVE-2025-54059melange's world-writable permissions expose SBOM files to potential image tampering in chainguard.dev/melange>= 0.23.0, < 0.29.5
- MEDIUM4.3CVE-2026-29049`melange update-cache` has unbounded HTTP download that can exhaust disk in CIfrom 0, <= 0.40.5
- MEDIUM4.3CVE-2026-29049`melange update-cache` has unbounded HTTP download that can exhaust disk in CIfrom 0
- >= 0.32.0, < 0.43.4