{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28407", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:33:57.289Z", "datePublished": "2026-02-27T21:28:06.258Z", "dateUpdated": "2026-03-02T22:01:48.514Z"}, "containers": {"cna": {"title": "malcontent's nested archive extraction failure can drop content from scan inputs", "problemTypes": [{"descriptions": [{"cweId": "CWE-703", "lang": "en", "description": "CWE-703: Improper Check or Handling of Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-945p-3jhm-6rcp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-945p-3jhm-6rcp"}, {"name": "https://github.com/chainguard-dev/malcontent/pull/1383", "tags": ["x_refsource_MISC"], "url": "https://github.com/chainguard-dev/malcontent/pull/1383"}, {"name": "https://github.com/chainguard-dev/malcontent/commit/356c56659ccfcad0b249a97de8cf71f151ed3ee9", "tags": ["x_refsource_MISC"], "url": "https://github.com/chainguard-dev/malcontent/commit/356c56659ccfcad0b249a97de8cf71f151ed3ee9"}], "affected": [{"vendor": "chainguard-dev", "product": "malcontent", "versions": [{"version": "< 1.21.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T21:28:06.258Z"}, "descriptions": [{"lang": "en", "value": "malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior to version 1.21.0, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to preserve these archives so that malcontent can attempt a best-effort scan of the archive bytes. Version 1.21.0 fixes the issue."}], "source": {"advisory": "GHSA-945p-3jhm-6rcp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T22:01:36.247390Z", "id": "CVE-2026-28407", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T22:01:48.514Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28407", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T22:01:36.247390Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T22:01:44.254Z"}}], "cna": {"title": "malcontent's nested archive extraction failure can drop content from scan inputs", "source": {"advisory": "GHSA-945p-3jhm-6rcp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "chainguard-dev", "product": "malcontent", "versions": [{"status": "affected", "version": "< 1.21.0"}]}], "references": [{"url": "https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-945p-3jhm-6rcp", "name": "https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-945p-3jhm-6rcp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chainguard-dev/malcontent/pull/1383", "name": "https://github.com/chainguard-dev/malcontent/pull/1383", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/chainguard-dev/malcontent/commit/356c56659ccfcad0b249a97de8cf71f151ed3ee9", "name": "https://github.com/chainguard-dev/malcontent/commit/356c56659ccfcad0b249a97de8cf71f151ed3ee9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior to version 1.21.0, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to preserve these archives so that malcontent can attempt a best-effort scan of the archive bytes. Version 1.21.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-703", "description": "CWE-703: Improper Check or Handling of Exceptional Conditions"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T21:28:06.258Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28407", "state": "PUBLISHED", "dateUpdated": "2026-03-02T22:01:48.514Z", "dateReserved": "2026-02-27T15:33:57.289Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-27T21:28:06.258Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chainguard:malcontent:*:*:*:*:*:*:*:*", "matchCriteriaId": "35E288B6-B34F-4A97-9B77-2E06D9D3F4F2", "versionEndExcluding": "1.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior to version 1.21.0, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to preserve these archives so that malcontent can attempt a best-effort scan of the archive bytes. Version 1.21.0 fixes the issue."}], "id": "CVE-2026-28407", "lastModified": "2026-03-03T18:23:37.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-27T22:16:23.680", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chainguard-dev/malcontent/commit/356c56659ccfcad0b249a97de8cf71f151ed3ee9"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/chainguard-dev/malcontent/pull/1383"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-945p-3jhm-6rcp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-703"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.21.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "malcontent", "source": "cna", "vendor": "chainguard-dev"}, "product": "malcontent", "vendor": "chainguard-dev"}], "analysis": {"en": {"generated_at": "2026-04-16T15:13:42.759868+00:00", "value": {"mitigation_remediation": ["Upgrade to version\u202f1.21.0 or newer to apply the fix.", "Validate that the scanning pipeline preserves or logs any failed nested\u2011archive extraction so that potentially missed content can be inspected manually.", "If an upgrade cannot be performed immediately, manually examine the outputs of current scans for undiscovered nested archives and scan those files with a secondary tool to confirm no malicious material."], "summary": {"action": "Patch", "impact": "Content omission due to dropped nested archives during scanning"}, "threat_synthesis": {"affected_systems": "The vulnerable software is Chainguard\u2011Dev Malcontent. All releases before 1.21.0 are affected. Versions 1.21.0 and later include the fix.", "description_and_impact": "malcontent was designed to detect supply\u2011chain compromise by scanning archives for malicious patterns. The flaw caused failed extraction of nested archives to be silently removed, preventing those inner files from being examined. The result is that malicious content may pass undetected, reducing the tool\u2019s effectiveness. This weakness is a failure to handle error conditions properly, categorized as CWE\u2011703.", "risk_and_exploitability": "The vulnerability scores a CVSS of 6.9, indicating moderate risk. EPSS is less than 1\u202f%, making exploitation unlikely. The flaw is not listed in the CISA KEV catalog. The attack vector is indirect: an adversary can craft an archive that contains a nested archive that fails to extract; malcontent will drop the content, allowing the malicious payload to evade detection. Because the flaw only causes missing detection and not direct code execution, the impact is limited to ineffective security monitoring rather than an immediate compromise."}}}}, "created": "2026-03-02T12:04:48.755332+00:00", "updated": "2026-04-16T15:15:39.049930+00:00", "vendors": ["chainguard-dev", "chainguard-dev$PRODUCT$malcontent"]}