Home > Vulnerability Database > CVE-2026-24844

Mend.io Vulnerability Database

CVE-2026-24844

Good to know:

Date: February 4, 2026

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.}} or ${{inputs.}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.

Severity Score

7.9

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-24844

Url: https://github.com/chainguard-dev/melange

Url: https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8

Url: https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2

Url: https://www.mend.io/vulnerability-database/CVE-2026-24844

Severity Score

7.9

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Top Fix

Upgrade Version

Upgrade to version chainguard.dev/melange - v0.40.3;https://github.com/chainguard-dev/melange.git - v0.40.3

Learn More

CVSS v3.1

Base Score:	7.9
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-24844

Good to know:

Date: February 4, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?