GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
12 advisories
melange has Path Traversal via .PKGINFO in --persist-lint-results
Moderate
CVE-2026-29051
was published
for
chainguard.dev/melange
(Go)
Apr 23, 2026
melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses
Moderate
CVE-2026-29050
was published
for
chainguard.dev/melange
(Go)
Apr 23, 2026
`melange update-cache` has unbounded HTTP download that can exhaust disk in CI
Moderate
CVE-2026-29049
was published
for
chainguard.dev/melange
(Go)
Mar 2, 2026
melange has a path traversal in license-path which allows reading files outside workspace
Moderate
CVE-2026-25145
was published
for
chainguard.dev/melange
(Go)
Feb 4, 2026
melange affected by potential host command execution via license-check YAML mode patch pipeline
High
CVE-2026-25143
was published
for
chainguard.dev/melange
(Go)
Feb 4, 2026
apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams
High
CVE-2026-25140
was published
for
chainguard-dev/apko
(Go)
Feb 4, 2026
apko affected by unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams
Moderate
CVE-2026-25122
was published
for
chainguard.dev/apko
(Go)
Feb 3, 2026
apko has a path traversal in apko dirFS which allows filesystem writes outside base
High
CVE-2026-25121
was published
for
chainguard.dev/apko
(Go)
Feb 3, 2026
melange pipeline working-directory could allow command injection
High
CVE-2026-24844
was published
for
chainguard.dev/melange
(Go)
Feb 3, 2026
melange QEMU runner could write files outside workspace directory
High
CVE-2026-24843
was published
for
chainguard.dev/melange
(Go)
Feb 3, 2026
malcontent vulnerable to symlink Path Traversal via handleSymlink argument confusion in archive extraction
Moderate
CVE-2026-24846
was published
for
github.com/chainguard-dev/malcontent
(Go)
Jan 29, 2026
malcontent OCI image pull credential exfiltration via malicious registry token realm
Moderate
CVE-2026-24845
was published
for
github.com/chainguard-dev/malcontent
(Go)
Jan 29, 2026
ProTip!
Advisories are also available from the
GraphQL API