pkg:Go/chainguard.dev/melange

所有已知漏洞

• HIGH8.2CVE-2026-24843melange QEMU runner could write files outside workspace directory in chainguard.dev/melange
  >= 0.11.3, < 0.40.3
• HIGH8.2CVE-2026-24843melange QEMU runner could write files outside workspace directory in chainguard.dev/melange
  >= 0.11.3, < 0.40.3
• HIGH7.9CVE-2026-24844melange pipeline working-directory could allow command injection in chainguard.dev/melange
  >= 0.3.0, < 0.40.3
• HIGH7.9CVE-2026-24844melange pipeline working-directory could allow command injection in chainguard.dev/melange
  >= 0.3.0, < 0.40.3
• HIGH7.8CVE-2026-25143melange affected by potential host command execution via license-check YAML mode patch pipeline in chainguard.dev/melange
  >= 0.10.0, < 0.40.3
• HIGH7.8CVE-2026-25143melange affected by potential host command execution via license-check YAML mode patch pipeline in chainguard.dev/melange
  >= 0.10.0, < 0.40.3
• MEDIUM6.1CVE-2026-29050melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses
  >= 0.32.0, < 0.43.4
• MEDIUM5.5CVE-2026-25145melange has a path traversal in license-path which allows reading files outside workspace
  >= 0.14.0, < 0.40.3
• MEDIUM5.5CVE-2026-25145melange has a path traversal in license-path which allows reading files outside workspace
  >= 0.14.0, < 0.40.3
• MEDIUM4.4CVE-2025-54059melange's world-writable permissions expose SBOM files to potential image tampering
  >= 0.23.0, < 0.29.5
• MEDIUM4.4CVE-2025-54059melange's world-writable permissions expose SBOM files to potential image tampering
  >= 0.23.0, < 0.29.5
• MEDIUM4.3CVE-2026-29049`melange update-cache` has unbounded HTTP download that can exhaust disk in CI
  from 0, <= 0.40.5
• MEDIUM4.3CVE-2026-29049`melange update-cache` has unbounded HTTP download that can exhaust disk in CI
  from 0
• LOW3.3CVE-2026-29051melange has Path Traversal via .PKGINFO in --persist-lint-results
  >= 0.32.0, < 0.43.4