CNNVD-202602-590 Information

CNNVD ID

CNNVD-202602-590

Related CVE

CVE-2026-24844

• CNNVD Published: 2026-02-04

Description (Chinese)

melange是Chainguard开源的一个从源代码构建APK的软件。 melange 0.40.3之前版本存在操作系统命令注入漏洞，该漏洞源于工作目录字段中的变量替换未正确转义，可能导致任意命令执行。

Description (English)

Melange is a source-based software for building APK from Chaingulard open source. There was an operational system command-injection loophole in the pre-manage 0.40.3 version, which resulted from the incorrect conversion of the variable replacement in the working directory field, which could lead to arbitrary command execution.

Hazard Level

High

Vulnerability Type

操作系统命令注入

Affected Vendor

Chainguard

Published

2026-02-04

Last Modified

2026-02-24

References

https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8 https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2

Patch

https://github.com/chainguard-dev/melange/releases