{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24844", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-27T14:51:03.059Z", "datePublished": "2026-02-04T19:31:55.830Z", "dateUpdated": "2026-02-05T14:33:09.866Z"}, "containers": {"cna": {"title": "melange pipeline working-directory could allow command injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2"}, {"name": "https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8", "tags": ["x_refsource_MISC"], "url": "https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8"}], "affected": [{"vendor": "chainguard-dev", "product": "melange", "versions": [{"version": ">= 0.3.0, < 0.40.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T19:31:55.830Z"}, "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3."}], "source": {"advisory": "GHSA-vqqr-rmpc-hhg2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T14:23:15.057025Z", "id": "CVE-2026-24844", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:33:09.866Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24844", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-05T14:23:15.057025Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:23:15.696Z"}}], "cna": {"title": "melange pipeline working-directory could allow command injection", "source": {"advisory": "GHSA-vqqr-rmpc-hhg2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "chainguard-dev", "product": "melange", "versions": [{"status": "affected", "version": ">= 0.3.0, < 0.40.3"}]}], "references": [{"url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2", "name": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8", "name": "https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T19:31:55.830Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24844", "state": "PUBLISHED", "dateUpdated": "2026-02-05T14:33:09.866Z", "dateReserved": "2026-01-27T14:51:03.059Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T19:31:55.830Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*", "matchCriteriaId": "5C0F1F45-AE07-4650-ADC4-996D023BCEB6", "versionEndIncluding": "0.40.5", "versionStartIncluding": "0.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3."}, {"lang": "es", "value": "melange permite a los usuarios construir paquetes apk usando pipelines declarativos. Desde la versi\u00f3n 0.3.0 hasta antes de la 0.40.3, un atacante que puede proporcionar valores de entrada de construcci\u00f3n, pero no modificar las definiciones de pipeline, podr\u00eda ejecutar comandos de shell arbitrarios si el pipeline usa sustituciones ${{vars.*}} o ${{inputs.*}} en working-directory. El campo se incrusta en scripts de shell sin el escape de comillas adecuado. Este problema ha sido parcheado en la versi\u00f3n 0.40.3."}], "id": "CVE-2026-24844", "lastModified": "2026-02-18T15:55:43.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T20:16:05.550", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:19:24.829580+00:00", "value": {"mitigation_remediation": ["Upgrade Chainguard Melange to 0.40.3 or newer to apply the fix that correctly escapes working-directory values.", "In the meantime, avoid using dynamic input substitutions in the working-directory field. Use static directory paths or remove any ${{vars.*}} or ${{inputs.*}} expressions from that parameter when triggering builds.", "Add input validation or sanitization on build-input values to strip or escape shell metacharacters before they are propagated to script contexts, ensuring that any injected path is properly quoted.", "Monitor build logs for unexpected shell command execution and enforce least privilege on build executor credentials to limit potential damage if an injection occurs."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Chainguard Dev's Melange, versions 0.3.0 through 0.40.2 inclusive. Build inputs from an untrusted source can trigger the injection when the pipeline references ${{vars.*}} or ${{inputs.*}} within the working-directory parameter. The patch, released in version 0.40.3, corrects the escaping logic.", "description_and_impact": "Melange, a tool for building APK packages from declarative pipelines, has a flaw in how it handles the working-directory field. From version 0.3.0 to 0.40.2 an attacker who can supply build input values but cannot edit the pipeline definition can inject arbitrary shell commands. The vulnerable field is inserted into shell scripts without quote escaping, allowing command substitution and execution. This weakness is a classic System Call Injection (CWE\u201178) and enables an attacker to run arbitrary commands during the build process.", "risk_and_exploitability": "The CVSS score is 7.8, indicating high severity. The EPSS score is <1%, suggesting a low probability of exploitation under current conditions, and the vulnerability is not listed in the CISA KEV catalog. Attackers need only to supply malicious input values to an automated build; no control over pipeline code is required. The build system must run with sufficient privileges for the exploit to be valuable, but the flaw does not require user interaction beyond providing allowed inputs."}}}}, "created": "2026-02-05T11:39:19.129259+00:00", "updated": "2026-04-17T23:30:15.906984+00:00", "vendors": ["chainguard-dev", "chainguard-dev$PRODUCT$melange"]}