CNNVD-202602-591 Information

CNNVD ID

CNNVD-202602-591

Related CVE

CVE-2026-24843

• CNNVD Published: 2026-02-04

Description (Chinese)

melange是Chainguard开源的一个从源代码构建APK的软件。 melange 0.40.3之前版本存在路径遍历漏洞，该漏洞源于提取tar归档时未验证路径，可能导致路径遍历攻击。

Description (English)

Melange is a source-based software for building APK from Chaingulard open source. There was a loophole in the previous version of melange 0.40.3, which originated from the unverified path at the time of the extraction of the tar archive, which could lead to a path attack.

Hazard Level

High

Vulnerability Type

路径遍历

Affected Vendor

Chainguard

Published

2026-02-04

Last Modified

2026-02-24

References

https://github.com/chainguard-dev/melange/commit/6e243d0d46699f837d7c392397a694d2bcc7612b https://github.com/chainguard-dev/melange/security/advisories/GHSA-qxx2-7h4c-83f4

Patch

https://github.com/chainguard-dev/melange/releases