Publish Advisories

GHSA-qxx2-7h4c-83f4
GHSA-vqqr-rmpc-hhg2

Author: advisory-database[bot]

advisories/github-reviewed/2026/02/GHSA-qxx2-7h4c-83f4/GHSA-qxx2-7h4c-83f4.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qxx2-7h4c-83f4",
+  "modified": "2026-02-03T23:47:29Z",
+  "published": "2026-02-03T23:47:29Z",
+  "aliases": [
+    "CVE-2026-24843"
+  ],
+  "summary": "melange QEMU runner could write files outside workspace directory",
+  "details": "An attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The `retrieveWorkspace` function extracts tar entries without validating that paths stay within the workspace, allowing Path Traversal via `../` sequences.\n\n**Fix:** Fixed in [6e243d0d](https://github.com/chainguard-dev/melange/commit/6e243d0d46699f837d7c392397a694d2bcc7612b). Merged in release.\n\n**Acknowledgements**\n\nmelange thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "chainguard.dev/melange"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.11.3"
+            },
+            {
+              "fixed": "0.40.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-qxx2-7h4c-83f4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/chainguard-dev/melange/commit/6e243d0d46699f837d7c392397a694d2bcc7612b"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/chainguard-dev/melange"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-03T23:47:29Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/02/GHSA-vqqr-rmpc-hhg2/GHSA-vqqr-rmpc-hhg2.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vqqr-rmpc-hhg2",
+  "modified": "2026-02-03T23:48:25Z",
+  "published": "2026-02-03T23:48:25Z",
+  "aliases": [
+    "CVE-2026-24844"
+  ],
+  "summary": "melange pipeline working-directory could allow command injection",
+  "details": "An attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses `${{vars.*}}` or `${{inputs.*}}` substitutions in `working-directory`. The field is embedded into shell scripts without proper quote escaping.\n\n**Fix:** Fixed with [e51ca30c](https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8), Released. \n\n**Acknowledgements**\n\nmelange thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "chainguard.dev/melange"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.3.0"
+            },
+            {
+              "fixed": "0.40.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/chainguard-dev/melange"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-03T23:48:25Z",
+    "nvd_published_at": null
+  }
+}