CVE-2026-29051

Name of the Vulnerable Software and Affected Versions melange versions 0.32.0 through 0.43.3

Description When using the opt-in flag '--persist-lint-results' via 'melange lint' or 'melange build', the software constructs output file paths by joining the '--out-dir' parameter with arch and pkgname values read from the .PKGINFO control file of the APK. Because these values are not validated for path separators or '..' sequences, an attacker providing a malicious APK to a lint or build pipeline could cause the system to write a JSON lint report to an arbitrary .json path reachable by the process. This can lead to the overwriting of other JSON artifacts on the filesystem. This issue only affects deployments where the '--persist-lint-results' flag is explicitly enabled.

Recommendations Update to version 0.43.4. As a temporary workaround, do not pass the '--persist-lint-results' flag when linting or building APKs with untrusted .PKGINFO contents. Run the software as a low-privileged user and confine writes to an isolated directory to limit impact.