Melange
CVE-2026-24844
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.
AnalysisAI
melange allows users to build apk packages using declarative pipelines. [CVSS 7.9 HIGH]
Technical ContextAI
Classified as CWE-78 (OS Command Injection). Affects Melange. melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 0.40.3..
Melange versions 0.11.3 through 0.40.2 suffer from a path traversal vulnerability in the retrieveWorkspace function that
Melange versions 0.10.0 through 0.40.2 allow unauthenticated command injection through the patch pipeline, enabling atta
Melange versions 0.14.0 through 0.40.2 allow local attackers with configuration file control to read arbitrary files fro
Melange versions 0.40.5 and earlier are vulnerable to disk exhaustion when the update-cache function downloads files fro
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
GHSA-vqqr-rmpc-hhg2