Vulnerability Details CVE-2026-24844
melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 0.8%
CVSS Severity
CVSS v3 Score 7.9
References
Products affected by CVE-2026-24844
-
cpe:2.3:a:chainguard:melange:0.10.0
-
cpe:2.3:a:chainguard:melange:0.10.1
-
cpe:2.3:a:chainguard:melange:0.10.2
-
cpe:2.3:a:chainguard:melange:0.10.3
-
cpe:2.3:a:chainguard:melange:0.10.4
-
cpe:2.3:a:chainguard:melange:0.11.0
-
cpe:2.3:a:chainguard:melange:0.11.1
-
cpe:2.3:a:chainguard:melange:0.11.2
-
cpe:2.3:a:chainguard:melange:0.11.3
-
cpe:2.3:a:chainguard:melange:0.11.4
-
cpe:2.3:a:chainguard:melange:0.11.5
-
cpe:2.3:a:chainguard:melange:0.11.6
-
cpe:2.3:a:chainguard:melange:0.12.0
-
cpe:2.3:a:chainguard:melange:0.12.1
-
cpe:2.3:a:chainguard:melange:0.13.0
-
cpe:2.3:a:chainguard:melange:0.13.1
-
cpe:2.3:a:chainguard:melange:0.13.2
-
cpe:2.3:a:chainguard:melange:0.13.3
-
cpe:2.3:a:chainguard:melange:0.13.4
-
cpe:2.3:a:chainguard:melange:0.13.5
-
cpe:2.3:a:chainguard:melange:0.13.6
-
cpe:2.3:a:chainguard:melange:0.13.7
-
cpe:2.3:a:chainguard:melange:0.14.0
-
cpe:2.3:a:chainguard:melange:0.14.1
-
cpe:2.3:a:chainguard:melange:0.14.10
-
cpe:2.3:a:chainguard:melange:0.14.11
-
cpe:2.3:a:chainguard:melange:0.14.2
-
cpe:2.3:a:chainguard:melange:0.14.3
-
cpe:2.3:a:chainguard:melange:0.14.4
-
cpe:2.3:a:chainguard:melange:0.14.5
-
cpe:2.3:a:chainguard:melange:0.14.6
-
cpe:2.3:a:chainguard:melange:0.14.7
-
cpe:2.3:a:chainguard:melange:0.14.8
-
cpe:2.3:a:chainguard:melange:0.14.9
-
cpe:2.3:a:chainguard:melange:0.15.0
-
cpe:2.3:a:chainguard:melange:0.15.1
-
cpe:2.3:a:chainguard:melange:0.15.10
-
cpe:2.3:a:chainguard:melange:0.15.11
-
cpe:2.3:a:chainguard:melange:0.15.12
-
cpe:2.3:a:chainguard:melange:0.15.13
-
cpe:2.3:a:chainguard:melange:0.15.14
-
cpe:2.3:a:chainguard:melange:0.15.2
-
cpe:2.3:a:chainguard:melange:0.15.3
-
cpe:2.3:a:chainguard:melange:0.15.4
-
cpe:2.3:a:chainguard:melange:0.15.5
-
cpe:2.3:a:chainguard:melange:0.15.6
-
cpe:2.3:a:chainguard:melange:0.15.7
-
cpe:2.3:a:chainguard:melange:0.15.8
-
cpe:2.3:a:chainguard:melange:0.15.9
-
cpe:2.3:a:chainguard:melange:0.16.0
-
cpe:2.3:a:chainguard:melange:0.17.0
-
cpe:2.3:a:chainguard:melange:0.17.1
-
cpe:2.3:a:chainguard:melange:0.17.2
-
cpe:2.3:a:chainguard:melange:0.17.3
-
cpe:2.3:a:chainguard:melange:0.17.4
-
cpe:2.3:a:chainguard:melange:0.17.5
-
cpe:2.3:a:chainguard:melange:0.17.6
-
cpe:2.3:a:chainguard:melange:0.17.7
-
cpe:2.3:a:chainguard:melange:0.18.0
-
cpe:2.3:a:chainguard:melange:0.18.1
-
cpe:2.3:a:chainguard:melange:0.18.2
-
cpe:2.3:a:chainguard:melange:0.18.3
-
cpe:2.3:a:chainguard:melange:0.19.0
-
cpe:2.3:a:chainguard:melange:0.19.1
-
cpe:2.3:a:chainguard:melange:0.19.2
-
cpe:2.3:a:chainguard:melange:0.19.3
-
cpe:2.3:a:chainguard:melange:0.19.4
-
cpe:2.3:a:chainguard:melange:0.19.5
-
cpe:2.3:a:chainguard:melange:0.20.0
-
cpe:2.3:a:chainguard:melange:0.20.1
-
cpe:2.3:a:chainguard:melange:0.21.0
-
cpe:2.3:a:chainguard:melange:0.21.1
-
cpe:2.3:a:chainguard:melange:0.21.2
-
cpe:2.3:a:chainguard:melange:0.22.0
-
cpe:2.3:a:chainguard:melange:0.22.1
-
cpe:2.3:a:chainguard:melange:0.22.2
-
cpe:2.3:a:chainguard:melange:0.23.0
-
cpe:2.3:a:chainguard:melange:0.23.1
-
cpe:2.3:a:chainguard:melange:0.23.10
-
cpe:2.3:a:chainguard:melange:0.23.11
-
cpe:2.3:a:chainguard:melange:0.23.12
-
cpe:2.3:a:chainguard:melange:0.23.13
-
cpe:2.3:a:chainguard:melange:0.23.14
-
cpe:2.3:a:chainguard:melange:0.23.15
-
cpe:2.3:a:chainguard:melange:0.23.16
-
cpe:2.3:a:chainguard:melange:0.23.17
-
cpe:2.3:a:chainguard:melange:0.23.2
-
cpe:2.3:a:chainguard:melange:0.23.3
-
cpe:2.3:a:chainguard:melange:0.23.4
-
cpe:2.3:a:chainguard:melange:0.23.5
-
cpe:2.3:a:chainguard:melange:0.23.6
-
cpe:2.3:a:chainguard:melange:0.23.7
-
cpe:2.3:a:chainguard:melange:0.23.8
-
cpe:2.3:a:chainguard:melange:0.23.9
-
cpe:2.3:a:chainguard:melange:0.24.0
-
cpe:2.3:a:chainguard:melange:0.25.0
-
cpe:2.3:a:chainguard:melange:0.25.1
-
cpe:2.3:a:chainguard:melange:0.26.0
-
cpe:2.3:a:chainguard:melange:0.26.1
-
cpe:2.3:a:chainguard:melange:0.26.10
-
cpe:2.3:a:chainguard:melange:0.26.11
-
cpe:2.3:a:chainguard:melange:0.26.12
-
cpe:2.3:a:chainguard:melange:0.26.13
-
cpe:2.3:a:chainguard:melange:0.26.2
-
cpe:2.3:a:chainguard:melange:0.26.3
-
cpe:2.3:a:chainguard:melange:0.26.4
-
cpe:2.3:a:chainguard:melange:0.26.5
-
cpe:2.3:a:chainguard:melange:0.26.6
-
cpe:2.3:a:chainguard:melange:0.26.7
-
cpe:2.3:a:chainguard:melange:0.26.8
-
cpe:2.3:a:chainguard:melange:0.26.9
-
cpe:2.3:a:chainguard:melange:0.27.0
-
cpe:2.3:a:chainguard:melange:0.28.0
-
cpe:2.3:a:chainguard:melange:0.29.0
-
cpe:2.3:a:chainguard:melange:0.29.1
-
cpe:2.3:a:chainguard:melange:0.29.2
-
cpe:2.3:a:chainguard:melange:0.29.3
-
cpe:2.3:a:chainguard:melange:0.29.4
-
cpe:2.3:a:chainguard:melange:0.29.5
-
cpe:2.3:a:chainguard:melange:0.29.6
-
cpe:2.3:a:chainguard:melange:0.29.7
-
cpe:2.3:a:chainguard:melange:0.3.0
-
cpe:2.3:a:chainguard:melange:0.3.1
-
cpe:2.3:a:chainguard:melange:0.3.2
-
cpe:2.3:a:chainguard:melange:0.30.0
-
cpe:2.3:a:chainguard:melange:0.30.1
-
cpe:2.3:a:chainguard:melange:0.30.2
-
cpe:2.3:a:chainguard:melange:0.30.3
-
cpe:2.3:a:chainguard:melange:0.30.4
-
cpe:2.3:a:chainguard:melange:0.30.5
-
cpe:2.3:a:chainguard:melange:0.30.6
-
cpe:2.3:a:chainguard:melange:0.31.0
-
cpe:2.3:a:chainguard:melange:0.31.1
-
cpe:2.3:a:chainguard:melange:0.31.2
-
cpe:2.3:a:chainguard:melange:0.31.3
-
cpe:2.3:a:chainguard:melange:0.31.4
-
cpe:2.3:a:chainguard:melange:0.31.5
-
cpe:2.3:a:chainguard:melange:0.31.6
-
cpe:2.3:a:chainguard:melange:0.31.7
-
cpe:2.3:a:chainguard:melange:0.31.8
-
cpe:2.3:a:chainguard:melange:0.31.9
-
cpe:2.3:a:chainguard:melange:0.32.0
-
cpe:2.3:a:chainguard:melange:0.33.0
-
cpe:2.3:a:chainguard:melange:0.33.1
-
cpe:2.3:a:chainguard:melange:0.33.2
-
cpe:2.3:a:chainguard:melange:0.34.0
-
cpe:2.3:a:chainguard:melange:0.34.1
-
cpe:2.3:a:chainguard:melange:0.34.2
-
cpe:2.3:a:chainguard:melange:0.34.3
-
cpe:2.3:a:chainguard:melange:0.35.0
-
cpe:2.3:a:chainguard:melange:0.35.1
-
cpe:2.3:a:chainguard:melange:0.36.0
-
cpe:2.3:a:chainguard:melange:0.37.0
-
cpe:2.3:a:chainguard:melange:0.37.1
-
cpe:2.3:a:chainguard:melange:0.37.2
-
cpe:2.3:a:chainguard:melange:0.37.3
-
cpe:2.3:a:chainguard:melange:0.37.4
-
cpe:2.3:a:chainguard:melange:0.37.5
-
cpe:2.3:a:chainguard:melange:0.38.0
-
cpe:2.3:a:chainguard:melange:0.38.1
-
cpe:2.3:a:chainguard:melange:0.39.0
-
cpe:2.3:a:chainguard:melange:0.4.0
-
cpe:2.3:a:chainguard:melange:0.40.0
-
cpe:2.3:a:chainguard:melange:0.40.1
-
cpe:2.3:a:chainguard:melange:0.40.2
-
cpe:2.3:a:chainguard:melange:0.40.3
-
cpe:2.3:a:chainguard:melange:0.40.4
-
cpe:2.3:a:chainguard:melange:0.40.5
-
cpe:2.3:a:chainguard:melange:0.5.0
-
cpe:2.3:a:chainguard:melange:0.5.1
-
cpe:2.3:a:chainguard:melange:0.5.10
-
cpe:2.3:a:chainguard:melange:0.5.2
-
cpe:2.3:a:chainguard:melange:0.5.3
-
cpe:2.3:a:chainguard:melange:0.5.4
-
cpe:2.3:a:chainguard:melange:0.5.5
-
cpe:2.3:a:chainguard:melange:0.5.6
-
cpe:2.3:a:chainguard:melange:0.5.7
-
cpe:2.3:a:chainguard:melange:0.5.8
-
cpe:2.3:a:chainguard:melange:0.5.9
-
cpe:2.3:a:chainguard:melange:0.6.0
-
cpe:2.3:a:chainguard:melange:0.6.1
-
cpe:2.3:a:chainguard:melange:0.6.10
-
cpe:2.3:a:chainguard:melange:0.6.11
-
cpe:2.3:a:chainguard:melange:0.6.2
-
cpe:2.3:a:chainguard:melange:0.6.3
-
cpe:2.3:a:chainguard:melange:0.6.4
-
cpe:2.3:a:chainguard:melange:0.6.5
-
cpe:2.3:a:chainguard:melange:0.6.6
-
cpe:2.3:a:chainguard:melange:0.6.7
-
cpe:2.3:a:chainguard:melange:0.6.8
-
cpe:2.3:a:chainguard:melange:0.6.9
-
cpe:2.3:a:chainguard:melange:0.7.0
-
cpe:2.3:a:chainguard:melange:0.8.0
-
cpe:2.3:a:chainguard:melange:0.8.1
-
cpe:2.3:a:chainguard:melange:0.8.2
-
cpe:2.3:a:chainguard:melange:0.8.3
-
cpe:2.3:a:chainguard:melange:0.8.4
-
cpe:2.3:a:chainguard:melange:0.8.5
-
cpe:2.3:a:chainguard:melange:0.8.6
-
cpe:2.3:a:chainguard:melange:0.9.0