CVE-2026-24843HIGH 8.4EPSS p6.2%

CVE-2026-24843CVE-2026-24843

Description

melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3.

Scoring

CVSS 3.18.4 (HIGH)
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
EPSS0.17% probability of exploitation · percentile 6.2% · 2026-06-19T12:03:05Z
Published2026-02-04
Last modified2026-02-18

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/chainguard-dev/melange/commit/6e243d0d46699f837d7c392397a694d2bcc7612b
  2. https://github.com/chainguard-dev/melange/security/advisories/GHSA-qxx2-7h4c-83f4

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-24844
CVE
CVE-2026-28453
CVE
CVE-2025-69874
CVE
CVE-2026-26157
CVE
CVE-2026-26158
CVE
CVE-2026-11322
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.