Launch Week Day 1: Announcing Security Design Review
Start for Free
go

chainguard.dev/melange

View on go registry
14 Total advisories
14 Vulnerabilities
0 Malware

Vulnerabilities

LOW 3.3
Go

CVE-2026-29051

melange has Path Traversal via .PKGINFO in --persist-lint-results
MEDIUM 6.1
Go

CVE-2026-29050

melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses
MEDIUM 4.3
Go

CVE-2026-29049

`melange update-cache` has unbounded HTTP download that can exhaust disk in CI
UNKNOWN
Go

CVE-2026-29049

`melange update-cache` has unbounded HTTP download that can exhaust disk in CI in chainguard.dev/melange
UNKNOWN
Go

CVE-2026-25145

melange has a path traversal in license-path which allows reading files outside workspace in chainguard.dev/melange
UNKNOWN
Go

CVE-2026-24844

melange pipeline working-directory could allow command injection in chainguard.dev/melange
UNKNOWN
Go

CVE-2026-24843

melange QEMU runner could write files outside workspace directory in chainguard.dev/melange
UNKNOWN
Go

CVE-2026-25143

melange affected by potential host command execution via license-check YAML mode patch pipeline in chainguard.dev/melange
MEDIUM 5.5
Go

CVE-2026-25145

melange has a path traversal in license-path which allows reading files outside workspace

HIGH 7.8
Go

CVE-2026-25143

melange affected by potential host command execution via license-check YAML mode patch pipeline

HIGH 8.2
Go

CVE-2026-24843

melange QEMU runner could write files outside workspace directory
HIGH 7.9
Go

CVE-2026-24844

melange pipeline working-directory could allow command injection
UNKNOWN
Go

CVE-2025-54059

melange's world-writable permissions expose SBOM files to potential image tampering in chainguard.dev/melange
MEDIUM 4.4
Go

CVE-2025-54059

melange's world-writable permissions expose SBOM files to potential image tampering

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes