chainguard.dev/melange (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package chainguard.dev/melange, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (8)
CVE-2026-24843 — CVSS 8.2 (high): melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence…
CVE-2026-24844 — CVSS 7.9 (high): melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide…
CVE-2026-25143 — CVSS 7.8 (high): melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence…
CVE-2026-29050 — CVSS 6.1 (medium): melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker…
CVE-2026-25145 — CVSS 5.5 (medium): melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence…
CVE-2026-29051 — CVSS 4.4 (medium): melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange…
CVE-2025-54059 — CVSS 4.4 (medium): melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files…
CVE-2026-29049 — CVSS 4.3 (medium): melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs…