CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-29049

melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 11.5%

CVSS Severity

CVSS v3 Score 4.3

References

https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc

Products affected by CVE-2026-29049

Chainguard » Melange » Version: 0.1.0

cpe:2.3:a:chainguard:melange:0.1.0
Chainguard » Melange » Version: 0.10.0

cpe:2.3:a:chainguard:melange:0.10.0
Chainguard » Melange » Version: 0.10.1

cpe:2.3:a:chainguard:melange:0.10.1
Chainguard » Melange » Version: 0.10.2

cpe:2.3:a:chainguard:melange:0.10.2
Chainguard » Melange » Version: 0.10.3

cpe:2.3:a:chainguard:melange:0.10.3
Chainguard » Melange » Version: 0.10.4

cpe:2.3:a:chainguard:melange:0.10.4
Chainguard » Melange » Version: 0.11.0

cpe:2.3:a:chainguard:melange:0.11.0
Chainguard » Melange » Version: 0.11.1

cpe:2.3:a:chainguard:melange:0.11.1
Chainguard » Melange » Version: 0.11.2

cpe:2.3:a:chainguard:melange:0.11.2
Chainguard » Melange » Version: 0.11.3

cpe:2.3:a:chainguard:melange:0.11.3
Chainguard » Melange » Version: 0.11.4

cpe:2.3:a:chainguard:melange:0.11.4
Chainguard » Melange » Version: 0.11.5

cpe:2.3:a:chainguard:melange:0.11.5
Chainguard » Melange » Version: 0.11.6

cpe:2.3:a:chainguard:melange:0.11.6
Chainguard » Melange » Version: 0.12.0

cpe:2.3:a:chainguard:melange:0.12.0
Chainguard » Melange » Version: 0.12.1

cpe:2.3:a:chainguard:melange:0.12.1
Chainguard » Melange » Version: 0.13.0

cpe:2.3:a:chainguard:melange:0.13.0
Chainguard » Melange » Version: 0.13.1

cpe:2.3:a:chainguard:melange:0.13.1
Chainguard » Melange » Version: 0.13.2

cpe:2.3:a:chainguard:melange:0.13.2
Chainguard » Melange » Version: 0.13.3

cpe:2.3:a:chainguard:melange:0.13.3
Chainguard » Melange » Version: 0.13.4

cpe:2.3:a:chainguard:melange:0.13.4
Chainguard » Melange » Version: 0.13.5

cpe:2.3:a:chainguard:melange:0.13.5
Chainguard » Melange » Version: 0.13.6

cpe:2.3:a:chainguard:melange:0.13.6
Chainguard » Melange » Version: 0.13.7

cpe:2.3:a:chainguard:melange:0.13.7
Chainguard » Melange » Version: 0.14.0

cpe:2.3:a:chainguard:melange:0.14.0
Chainguard » Melange » Version: 0.14.1

cpe:2.3:a:chainguard:melange:0.14.1
Chainguard » Melange » Version: 0.14.10

cpe:2.3:a:chainguard:melange:0.14.10
Chainguard » Melange » Version: 0.14.11

cpe:2.3:a:chainguard:melange:0.14.11
Chainguard » Melange » Version: 0.14.2

cpe:2.3:a:chainguard:melange:0.14.2
Chainguard » Melange » Version: 0.14.3

cpe:2.3:a:chainguard:melange:0.14.3
Chainguard » Melange » Version: 0.14.4

cpe:2.3:a:chainguard:melange:0.14.4
Chainguard » Melange » Version: 0.14.5

cpe:2.3:a:chainguard:melange:0.14.5
Chainguard » Melange » Version: 0.14.6

cpe:2.3:a:chainguard:melange:0.14.6
Chainguard » Melange » Version: 0.14.7

cpe:2.3:a:chainguard:melange:0.14.7
Chainguard » Melange » Version: 0.14.8

cpe:2.3:a:chainguard:melange:0.14.8
Chainguard » Melange » Version: 0.14.9

cpe:2.3:a:chainguard:melange:0.14.9
Chainguard » Melange » Version: 0.15.0

cpe:2.3:a:chainguard:melange:0.15.0
Chainguard » Melange » Version: 0.15.1

cpe:2.3:a:chainguard:melange:0.15.1
Chainguard » Melange » Version: 0.15.10

cpe:2.3:a:chainguard:melange:0.15.10
Chainguard » Melange » Version: 0.15.11

cpe:2.3:a:chainguard:melange:0.15.11
Chainguard » Melange » Version: 0.15.12

cpe:2.3:a:chainguard:melange:0.15.12
Chainguard » Melange » Version: 0.15.13

cpe:2.3:a:chainguard:melange:0.15.13
Chainguard » Melange » Version: 0.15.14

cpe:2.3:a:chainguard:melange:0.15.14
Chainguard » Melange » Version: 0.15.2

cpe:2.3:a:chainguard:melange:0.15.2
Chainguard » Melange » Version: 0.15.3

cpe:2.3:a:chainguard:melange:0.15.3
Chainguard » Melange » Version: 0.15.4

cpe:2.3:a:chainguard:melange:0.15.4
Chainguard » Melange » Version: 0.15.5

cpe:2.3:a:chainguard:melange:0.15.5
Chainguard » Melange » Version: 0.15.6

cpe:2.3:a:chainguard:melange:0.15.6
Chainguard » Melange » Version: 0.15.7

cpe:2.3:a:chainguard:melange:0.15.7
Chainguard » Melange » Version: 0.15.8

cpe:2.3:a:chainguard:melange:0.15.8
Chainguard » Melange » Version: 0.15.9

cpe:2.3:a:chainguard:melange:0.15.9
Chainguard » Melange » Version: 0.16.0

cpe:2.3:a:chainguard:melange:0.16.0
Chainguard » Melange » Version: 0.17.0

cpe:2.3:a:chainguard:melange:0.17.0
Chainguard » Melange » Version: 0.17.1

cpe:2.3:a:chainguard:melange:0.17.1
Chainguard » Melange » Version: 0.17.2

cpe:2.3:a:chainguard:melange:0.17.2
Chainguard » Melange » Version: 0.17.3

cpe:2.3:a:chainguard:melange:0.17.3
Chainguard » Melange » Version: 0.17.4

cpe:2.3:a:chainguard:melange:0.17.4
Chainguard » Melange » Version: 0.17.5

cpe:2.3:a:chainguard:melange:0.17.5
Chainguard » Melange » Version: 0.17.6

cpe:2.3:a:chainguard:melange:0.17.6
Chainguard » Melange » Version: 0.17.7

cpe:2.3:a:chainguard:melange:0.17.7
Chainguard » Melange » Version: 0.18.0

cpe:2.3:a:chainguard:melange:0.18.0
Chainguard » Melange » Version: 0.18.1

cpe:2.3:a:chainguard:melange:0.18.1
Chainguard » Melange » Version: 0.18.2

cpe:2.3:a:chainguard:melange:0.18.2
Chainguard » Melange » Version: 0.18.3

cpe:2.3:a:chainguard:melange:0.18.3
Chainguard » Melange » Version: 0.19.0

cpe:2.3:a:chainguard:melange:0.19.0
Chainguard » Melange » Version: 0.19.1

cpe:2.3:a:chainguard:melange:0.19.1
Chainguard » Melange » Version: 0.19.2

cpe:2.3:a:chainguard:melange:0.19.2
Chainguard » Melange » Version: 0.19.3

cpe:2.3:a:chainguard:melange:0.19.3
Chainguard » Melange » Version: 0.19.4

cpe:2.3:a:chainguard:melange:0.19.4
Chainguard » Melange » Version: 0.19.5

cpe:2.3:a:chainguard:melange:0.19.5
Chainguard » Melange » Version: 0.2.0

cpe:2.3:a:chainguard:melange:0.2.0
Chainguard » Melange » Version: 0.20.0

cpe:2.3:a:chainguard:melange:0.20.0
Chainguard » Melange » Version: 0.20.1

cpe:2.3:a:chainguard:melange:0.20.1
Chainguard » Melange » Version: 0.21.0

cpe:2.3:a:chainguard:melange:0.21.0
Chainguard » Melange » Version: 0.21.1

cpe:2.3:a:chainguard:melange:0.21.1
Chainguard » Melange » Version: 0.21.2

cpe:2.3:a:chainguard:melange:0.21.2
Chainguard » Melange » Version: 0.22.0

cpe:2.3:a:chainguard:melange:0.22.0
Chainguard » Melange » Version: 0.22.1

cpe:2.3:a:chainguard:melange:0.22.1
Chainguard » Melange » Version: 0.22.2

cpe:2.3:a:chainguard:melange:0.22.2
Chainguard » Melange » Version: 0.23.0

cpe:2.3:a:chainguard:melange:0.23.0
Chainguard » Melange » Version: 0.23.1

cpe:2.3:a:chainguard:melange:0.23.1
Chainguard » Melange » Version: 0.23.10

cpe:2.3:a:chainguard:melange:0.23.10
Chainguard » Melange » Version: 0.23.11

cpe:2.3:a:chainguard:melange:0.23.11
Chainguard » Melange » Version: 0.23.12

cpe:2.3:a:chainguard:melange:0.23.12
Chainguard » Melange » Version: 0.23.13

cpe:2.3:a:chainguard:melange:0.23.13
Chainguard » Melange » Version: 0.23.14

cpe:2.3:a:chainguard:melange:0.23.14
Chainguard » Melange » Version: 0.23.15

cpe:2.3:a:chainguard:melange:0.23.15
Chainguard » Melange » Version: 0.23.16

cpe:2.3:a:chainguard:melange:0.23.16
Chainguard » Melange » Version: 0.23.17

cpe:2.3:a:chainguard:melange:0.23.17
Chainguard » Melange » Version: 0.23.2

cpe:2.3:a:chainguard:melange:0.23.2
Chainguard » Melange » Version: 0.23.3

cpe:2.3:a:chainguard:melange:0.23.3
Chainguard » Melange » Version: 0.23.4

cpe:2.3:a:chainguard:melange:0.23.4
Chainguard » Melange » Version: 0.23.5

cpe:2.3:a:chainguard:melange:0.23.5
Chainguard » Melange » Version: 0.23.6

cpe:2.3:a:chainguard:melange:0.23.6
Chainguard » Melange » Version: 0.23.7

cpe:2.3:a:chainguard:melange:0.23.7
Chainguard » Melange » Version: 0.23.8

cpe:2.3:a:chainguard:melange:0.23.8
Chainguard » Melange » Version: 0.23.9

cpe:2.3:a:chainguard:melange:0.23.9
Chainguard » Melange » Version: 0.24.0

cpe:2.3:a:chainguard:melange:0.24.0
Chainguard » Melange » Version: 0.25.0

cpe:2.3:a:chainguard:melange:0.25.0
Chainguard » Melange » Version: 0.25.1

cpe:2.3:a:chainguard:melange:0.25.1
Chainguard » Melange » Version: 0.26.0

cpe:2.3:a:chainguard:melange:0.26.0
Chainguard » Melange » Version: 0.26.1

cpe:2.3:a:chainguard:melange:0.26.1
Chainguard » Melange » Version: 0.26.10

cpe:2.3:a:chainguard:melange:0.26.10
Chainguard » Melange » Version: 0.26.11

cpe:2.3:a:chainguard:melange:0.26.11
Chainguard » Melange » Version: 0.26.12

cpe:2.3:a:chainguard:melange:0.26.12
Chainguard » Melange » Version: 0.26.13

cpe:2.3:a:chainguard:melange:0.26.13
Chainguard » Melange » Version: 0.26.2

cpe:2.3:a:chainguard:melange:0.26.2
Chainguard » Melange » Version: 0.26.3

cpe:2.3:a:chainguard:melange:0.26.3
Chainguard » Melange » Version: 0.26.4

cpe:2.3:a:chainguard:melange:0.26.4
Chainguard » Melange » Version: 0.26.5

cpe:2.3:a:chainguard:melange:0.26.5
Chainguard » Melange » Version: 0.26.6

cpe:2.3:a:chainguard:melange:0.26.6
Chainguard » Melange » Version: 0.26.7

cpe:2.3:a:chainguard:melange:0.26.7
Chainguard » Melange » Version: 0.26.8

cpe:2.3:a:chainguard:melange:0.26.8
Chainguard » Melange » Version: 0.26.9

cpe:2.3:a:chainguard:melange:0.26.9
Chainguard » Melange » Version: 0.27.0

cpe:2.3:a:chainguard:melange:0.27.0
Chainguard » Melange » Version: 0.28.0

cpe:2.3:a:chainguard:melange:0.28.0
Chainguard » Melange » Version: 0.29.0

cpe:2.3:a:chainguard:melange:0.29.0
Chainguard » Melange » Version: 0.29.1

cpe:2.3:a:chainguard:melange:0.29.1
Chainguard » Melange » Version: 0.29.2

cpe:2.3:a:chainguard:melange:0.29.2
Chainguard » Melange » Version: 0.29.3

cpe:2.3:a:chainguard:melange:0.29.3
Chainguard » Melange » Version: 0.29.4

cpe:2.3:a:chainguard:melange:0.29.4
Chainguard » Melange » Version: 0.29.5

cpe:2.3:a:chainguard:melange:0.29.5
Chainguard » Melange » Version: 0.29.6

cpe:2.3:a:chainguard:melange:0.29.6
Chainguard » Melange » Version: 0.29.7

cpe:2.3:a:chainguard:melange:0.29.7
Chainguard » Melange » Version: 0.3.0

cpe:2.3:a:chainguard:melange:0.3.0
Chainguard » Melange » Version: 0.3.1

cpe:2.3:a:chainguard:melange:0.3.1
Chainguard » Melange » Version: 0.3.2

cpe:2.3:a:chainguard:melange:0.3.2
Chainguard » Melange » Version: 0.30.0

cpe:2.3:a:chainguard:melange:0.30.0
Chainguard » Melange » Version: 0.30.1

cpe:2.3:a:chainguard:melange:0.30.1
Chainguard » Melange » Version: 0.30.2

cpe:2.3:a:chainguard:melange:0.30.2
Chainguard » Melange » Version: 0.30.3

cpe:2.3:a:chainguard:melange:0.30.3
Chainguard » Melange » Version: 0.30.4

cpe:2.3:a:chainguard:melange:0.30.4
Chainguard » Melange » Version: 0.30.5

cpe:2.3:a:chainguard:melange:0.30.5
Chainguard » Melange » Version: 0.30.6

cpe:2.3:a:chainguard:melange:0.30.6
Chainguard » Melange » Version: 0.31.0

cpe:2.3:a:chainguard:melange:0.31.0
Chainguard » Melange » Version: 0.31.1

cpe:2.3:a:chainguard:melange:0.31.1
Chainguard » Melange » Version: 0.31.2

cpe:2.3:a:chainguard:melange:0.31.2
Chainguard » Melange » Version: 0.31.3

cpe:2.3:a:chainguard:melange:0.31.3
Chainguard » Melange » Version: 0.31.4

cpe:2.3:a:chainguard:melange:0.31.4
Chainguard » Melange » Version: 0.31.5

cpe:2.3:a:chainguard:melange:0.31.5
Chainguard » Melange » Version: 0.31.6

cpe:2.3:a:chainguard:melange:0.31.6
Chainguard » Melange » Version: 0.31.7

cpe:2.3:a:chainguard:melange:0.31.7
Chainguard » Melange » Version: 0.31.8

cpe:2.3:a:chainguard:melange:0.31.8
Chainguard » Melange » Version: 0.31.9

cpe:2.3:a:chainguard:melange:0.31.9
Chainguard » Melange » Version: 0.32.0

cpe:2.3:a:chainguard:melange:0.32.0
Chainguard » Melange » Version: 0.33.0

cpe:2.3:a:chainguard:melange:0.33.0
Chainguard » Melange » Version: 0.33.1

cpe:2.3:a:chainguard:melange:0.33.1
Chainguard » Melange » Version: 0.33.2

cpe:2.3:a:chainguard:melange:0.33.2
Chainguard » Melange » Version: 0.34.0

cpe:2.3:a:chainguard:melange:0.34.0
Chainguard » Melange » Version: 0.34.1

cpe:2.3:a:chainguard:melange:0.34.1
Chainguard » Melange » Version: 0.34.2

cpe:2.3:a:chainguard:melange:0.34.2
Chainguard » Melange » Version: 0.34.3

cpe:2.3:a:chainguard:melange:0.34.3
Chainguard » Melange » Version: 0.35.0

cpe:2.3:a:chainguard:melange:0.35.0
Chainguard » Melange » Version: 0.35.1

cpe:2.3:a:chainguard:melange:0.35.1
Chainguard » Melange » Version: 0.36.0

cpe:2.3:a:chainguard:melange:0.36.0
Chainguard » Melange » Version: 0.37.0

cpe:2.3:a:chainguard:melange:0.37.0
Chainguard » Melange » Version: 0.37.1

cpe:2.3:a:chainguard:melange:0.37.1
Chainguard » Melange » Version: 0.37.2

cpe:2.3:a:chainguard:melange:0.37.2
Chainguard » Melange » Version: 0.37.3

cpe:2.3:a:chainguard:melange:0.37.3
Chainguard » Melange » Version: 0.37.4

cpe:2.3:a:chainguard:melange:0.37.4
Chainguard » Melange » Version: 0.37.5

cpe:2.3:a:chainguard:melange:0.37.5
Chainguard » Melange » Version: 0.38.0

cpe:2.3:a:chainguard:melange:0.38.0
Chainguard » Melange » Version: 0.38.1

cpe:2.3:a:chainguard:melange:0.38.1
Chainguard » Melange » Version: 0.39.0

cpe:2.3:a:chainguard:melange:0.39.0
Chainguard » Melange » Version: 0.4.0

cpe:2.3:a:chainguard:melange:0.4.0
Chainguard » Melange » Version: 0.40.0

cpe:2.3:a:chainguard:melange:0.40.0
Chainguard » Melange » Version: 0.40.1

cpe:2.3:a:chainguard:melange:0.40.1
Chainguard » Melange » Version: 0.40.2

cpe:2.3:a:chainguard:melange:0.40.2
Chainguard » Melange » Version: 0.40.3

cpe:2.3:a:chainguard:melange:0.40.3
Chainguard » Melange » Version: 0.40.4

cpe:2.3:a:chainguard:melange:0.40.4
Chainguard » Melange » Version: 0.40.5

cpe:2.3:a:chainguard:melange:0.40.5
Chainguard » Melange » Version: 0.5.0

cpe:2.3:a:chainguard:melange:0.5.0
Chainguard » Melange » Version: 0.5.1

cpe:2.3:a:chainguard:melange:0.5.1
Chainguard » Melange » Version: 0.5.10

cpe:2.3:a:chainguard:melange:0.5.10
Chainguard » Melange » Version: 0.5.2

cpe:2.3:a:chainguard:melange:0.5.2
Chainguard » Melange » Version: 0.5.3

cpe:2.3:a:chainguard:melange:0.5.3
Chainguard » Melange » Version: 0.5.4

cpe:2.3:a:chainguard:melange:0.5.4
Chainguard » Melange » Version: 0.5.5

cpe:2.3:a:chainguard:melange:0.5.5
Chainguard » Melange » Version: 0.5.6

cpe:2.3:a:chainguard:melange:0.5.6
Chainguard » Melange » Version: 0.5.7

cpe:2.3:a:chainguard:melange:0.5.7
Chainguard » Melange » Version: 0.5.8

cpe:2.3:a:chainguard:melange:0.5.8
Chainguard » Melange » Version: 0.5.9

cpe:2.3:a:chainguard:melange:0.5.9
Chainguard » Melange » Version: 0.6.0

cpe:2.3:a:chainguard:melange:0.6.0
Chainguard » Melange » Version: 0.6.1

cpe:2.3:a:chainguard:melange:0.6.1
Chainguard » Melange » Version: 0.6.10

cpe:2.3:a:chainguard:melange:0.6.10
Chainguard » Melange » Version: 0.6.11

cpe:2.3:a:chainguard:melange:0.6.11
Chainguard » Melange » Version: 0.6.2

cpe:2.3:a:chainguard:melange:0.6.2
Chainguard » Melange » Version: 0.6.3

cpe:2.3:a:chainguard:melange:0.6.3
Chainguard » Melange » Version: 0.6.4

cpe:2.3:a:chainguard:melange:0.6.4
Chainguard » Melange » Version: 0.6.5

cpe:2.3:a:chainguard:melange:0.6.5
Chainguard » Melange » Version: 0.6.6

cpe:2.3:a:chainguard:melange:0.6.6
Chainguard » Melange » Version: 0.6.7

cpe:2.3:a:chainguard:melange:0.6.7
Chainguard » Melange » Version: 0.6.8

cpe:2.3:a:chainguard:melange:0.6.8
Chainguard » Melange » Version: 0.6.9

cpe:2.3:a:chainguard:melange:0.6.9
Chainguard » Melange » Version: 0.7.0

cpe:2.3:a:chainguard:melange:0.7.0
Chainguard » Melange » Version: 0.8.0

cpe:2.3:a:chainguard:melange:0.8.0
Chainguard » Melange » Version: 0.8.1

cpe:2.3:a:chainguard:melange:0.8.1
Chainguard » Melange » Version: 0.8.2

cpe:2.3:a:chainguard:melange:0.8.2
Chainguard » Melange » Version: 0.8.3

cpe:2.3:a:chainguard:melange:0.8.3
Chainguard » Melange » Version: 0.8.4

cpe:2.3:a:chainguard:melange:0.8.4
Chainguard » Melange » Version: 0.8.5

cpe:2.3:a:chainguard:melange:0.8.5
Chainguard » Melange » Version: 0.8.6

cpe:2.3:a:chainguard:melange:0.8.6
Chainguard » Melange » Version: 0.9.0

cpe:2.3:a:chainguard:melange:0.9.0

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-29049

Products

Pricing

Contact Us