CNNVD-202602-588 Information
CNNVD ID
CNNVD-202602-588
Related CVE
- CNNVD Published: 2026-02-04
Description (Chinese)
melange是Chainguard开源的一个从源代码构建APK的软件。 melange 0.10.0版本至0.40.3之前版本存在操作系统命令注入漏洞,该漏洞源于补丁管道将输入派生的值嵌入shell脚本时未正确引用或验证,可能导致执行任意shell命令。
Description (English)
Melange is a source-based software for building APK from Chaingulard open source. There is a loophole in the operating system command before versions 0.10.0 to 0.40.3, which arises from the fact that the patch pipe is not correctly quoted or validated when it embeds the value input into the shell script, which may result in the execution of an arbitrary shell command.
Hazard Level
High
Vulnerability Type
操作系统命令注入
Affected Vendor
Chainguard
Published
2026-02-04
Last Modified
2026-02-24
References
https://github.com/chainguard-dev/melange/commit/bd132535cd9f57d4bd39d9ead0633598941af030 https://github.com/chainguard-dev/melange/security/advisories/GHSA-rf4g-89h5-crcr
Patch
https://github.com/chainguard-dev/melange/releases
Share on: