CVE-2026-24844

HIGH
2026-02-04 [email protected] GHSA-vqqr-rmpc-hhg2
7.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch Released
Feb 18, 2026 - 15:55 nvd
Patch available
CVE Published
Feb 04, 2026 - 20:16 nvd
HIGH 7.9

Tags

Command Injection RCE Melange Suse

Description

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.

Analysis

melange allows users to build apk packages using declarative pipelines. [CVSS 7.9 HIGH]

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all systems running melange and assess exposure in your build infrastructure. Within 7 days: Apply the available patch to all affected melange instances and validate patch deployment. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

40
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +40
POC: 0

Vendor Status

Share

CVE-2026-24844 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy