CVE-2026-24844

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.

CVSS v3 7.9 HIGH

7.9^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.5 / Impact : 5.8

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8	Patch
https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*

History

No history.

Information

Published : 2026-02-04 20:16

Updated : 2026-02-18 15:55

NVD link : CVE-2026-24844

Mitre link : CVE-2026-24844

CVE.ORG link : CVE-2026-24844

JSON object : View

Products Affected

chainguard

melange

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-24844", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.9, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}]}, "published": "2026-02-04T20:16:05.550", "references": [{"url": "https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3."}, {"lang": "es", "value": "melange permite a los usuarios construir paquetes apk usando pipelines declarativos. Desde la versi\u00f3n 0.3.0 hasta antes de la 0.40.3, un atacante que puede proporcionar valores de entrada de construcci\u00f3n, pero no modificar las definiciones de pipeline, podr\u00eda ejecutar comandos de shell arbitrarios si el pipeline usa sustituciones ${{vars.*}} o ${{inputs.*}} en working-directory. El campo se incrusta en scripts de shell sin el escape de comillas adecuado. Este problema ha sido parcheado en la versi\u00f3n 0.40.3."}], "lastModified": "2026-02-18T15:55:43.790", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "5C0F1F45-AE07-4650-ADC4-996D023BCEB6", "versionEndIncluding": "0.40.5", "versionStartIncluding": "0.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}