{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29051", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T17:50:11.243Z", "datePublished": "2026-04-24T00:00:36.253Z", "dateUpdated": "2026-04-24T13:10:10.825Z"}, "containers": {"cna": {"title": "melange has Path Traversal via .PKGINFO in --persist-lint-results", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-q2pw-xx38-p64j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-q2pw-xx38-p64j"}, {"name": "https://github.com/chainguard-dev/melange/commit/84f3b450ce6e472c4abb8dc4c26d0ce8ac1259ac", "tags": ["x_refsource_MISC"], "url": "https://github.com/chainguard-dev/melange/commit/84f3b450ce6e472c4abb8dc4c26d0ce8ac1259ac"}], "affected": [{"vendor": "chainguard-dev", "product": "melange", "versions": [{"version": ">= 0.32.0, < 0.43.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T00:00:36.253Z"}, "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--out-dir` with the `arch` and `pkgname` values read from the `.PKGINFO` control file of the APK being linted. In affected versions these values were not validated for path separators or `..` sequences, so an attacker who can supply an APK to a melange-based lint/build pipeline (e.g. CI that lints third-party APKs, or build-as-a-service) could cause melange to write `lint-<pkgname>-<pkgver>-r<epoch>.json` to an arbitrary `.json` path reachable by the melange process. The written file is a JSON lint report whose content is partially attacker-influenced. There is no direct code-execution path, but the write can clobber other JSON artifacts on the filesystem. The issue only affects deployments that explicitly pass `--persist-lint-results`; the flag is off by default. The issue is fixed in melange v0.43.4 by validating `arch` and `pkgname` for `..`, `/`, and `filepath.Separator` before path construction in `pkg/linter/results.go` (commit 84f3b45). As a workaround, do not pass `--persist-lint-results` when linting or building APKs whose `.PKGINFO` contents are not fully trusted. Running melange as a low-privileged user and confining writes to an isolated directory also limits impact."}], "source": {"advisory": "GHSA-q2pw-xx38-p64j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T13:10:02.108926Z", "id": "CVE-2026-29051", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T13:10:10.825Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29051", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T13:10:02.108926Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T13:10:07.094Z"}}], "cna": {"title": "melange has Path Traversal via .PKGINFO in --persist-lint-results", "source": {"advisory": "GHSA-q2pw-xx38-p64j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "chainguard-dev", "product": "melange", "versions": [{"status": "affected", "version": ">= 0.32.0, < 0.43.4"}]}], "references": [{"url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-q2pw-xx38-p64j", "name": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-q2pw-xx38-p64j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chainguard-dev/melange/commit/84f3b450ce6e472c4abb8dc4c26d0ce8ac1259ac", "name": "https://github.com/chainguard-dev/melange/commit/84f3b450ce6e472c4abb8dc4c26d0ce8ac1259ac", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--out-dir` with the `arch` and `pkgname` values read from the `.PKGINFO` control file of the APK being linted. In affected versions these values were not validated for path separators or `..` sequences, so an attacker who can supply an APK to a melange-based lint/build pipeline (e.g. CI that lints third-party APKs, or build-as-a-service) could cause melange to write `lint-<pkgname>-<pkgver>-r<epoch>.json` to an arbitrary `.json` path reachable by the melange process. The written file is a JSON lint report whose content is partially attacker-influenced. There is no direct code-execution path, but the write can clobber other JSON artifacts on the filesystem. The issue only affects deployments that explicitly pass `--persist-lint-results`; the flag is off by default. The issue is fixed in melange v0.43.4 by validating `arch` and `pkgname` for `..`, `/`, and `filepath.Separator` before path construction in `pkg/linter/results.go` (commit 84f3b45). As a workaround, do not pass `--persist-lint-results` when linting or building APKs whose `.PKGINFO` contents are not fully trusted. Running melange as a low-privileged user and confining writes to an isolated directory also limits impact."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T00:00:36.253Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29051", "state": "PUBLISHED", "dateUpdated": "2026-04-24T13:10:10.825Z", "dateReserved": "2026-03-03T17:50:11.243Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T00:00:36.253Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*", "matchCriteriaId": "3E8363CF-5AF6-4FD7-A491-5D3E8E1F3576", "versionEndExcluding": "0.43.4", "versionStartIncluding": "0.32.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--out-dir` with the `arch` and `pkgname` values read from the `.PKGINFO` control file of the APK being linted. In affected versions these values were not validated for path separators or `..` sequences, so an attacker who can supply an APK to a melange-based lint/build pipeline (e.g. CI that lints third-party APKs, or build-as-a-service) could cause melange to write `lint-<pkgname>-<pkgver>-r<epoch>.json` to an arbitrary `.json` path reachable by the melange process. The written file is a JSON lint report whose content is partially attacker-influenced. There is no direct code-execution path, but the write can clobber other JSON artifacts on the filesystem. The issue only affects deployments that explicitly pass `--persist-lint-results`; the flag is off by default. The issue is fixed in melange v0.43.4 by validating `arch` and `pkgname` for `..`, `/`, and `filepath.Separator` before path construction in `pkg/linter/results.go` (commit 84f3b45). As a workaround, do not pass `--persist-lint-results` when linting or building APKs whose `.PKGINFO` contents are not fully trusted. Running melange as a low-privileged user and confining writes to an isolated directory also limits impact."}], "id": "CVE-2026-29051", "lastModified": "2026-04-27T14:42:38.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T00:16:27.477", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chainguard-dev/melange/commit/84f3b450ce6e472c4abb8dc4c26d0ce8ac1259ac"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation", "Patch"], "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-q2pw-xx38-p64j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.32.0,0.43.4)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "melange", "source": "cna", "vendor": "chainguard-dev"}, "product": "melange", "vendor": "chainguard"}], "analysis": {"en": {"generated_at": "2026-04-28T07:07:54.851934+00:00", "value": {"mitigation_remediation": ["Update melange to version 0.43.4 or later, which validates arch and pkgname fields before constructing the file path.", "If an update is not immediately possible, avoid using the --persist-lint-results flag for APKs whose .PKGINFO contents are not fully trusted.", "Run melange under a low-privileged user and restrict the output directory to a secure, isolated location to limit the impact of any accidental path traversal."], "summary": {"action": "Apply patch", "impact": "Arbitrary file overwrite via path traversal"}, "threat_synthesis": {"affected_systems": "Chainguard Dev's melange, versions 0.32.0 up to but not including 0.43.4, when the --persist-lint-results flag is enabled.", "description_and_impact": "This vulnerability occurs in the melange build tool when the optional flag --persist-lint-results is enabled. In versions 0.32.0 through 0.43.4, melange constructs output file paths by concatenating the user-specified --out-dir directory with the package architecture and name extracted from a maliciously crafted .PKGINFO file. Because these values are not validated for path separators or directory traversal sequences, an attacker who can supply a forged APK to the lint or build process can cause the tool to write a JSON lint report to an arbitrary location within the filesystem accessible to melange. The written content is partially influenced by the attacker, allowing potential overwrite of other JSON artifacts, but there is no direct code\u2011execution path.", "risk_and_exploitability": "The CVSS v3.1 score of 4.4 reflects a medium severity due to limited impact; the EPSS score is under 1%, indicating a very low probability that exploitation will occur. The vulnerability does not provide privilege escalation or remote code execution, but it can lead to destructive file overwrite within an environment that trusts the build pipeline. The attack would need an adversary who can influence the .PKGINFO of an APK processed by a melange instance, such as an insecure CI pipeline that lints third-party APKs. The issue is not listed in CISA\u2019s KEV catalog, and no public exploit has been reported."}}}}, "created": "2026-04-28T01:30:17.723520+00:00", "updated": "2026-04-28T07:15:19.374390+00:00", "vendors": ["chainguard", "chainguard$PRODUCT$melange"]}