CVE-2026-24843

Name of the Vulnerable Software and Affected Versions melange versions 0.11.3 through 0.40.2

Description melange is a tool that allows users to build apk packages using declarative pipelines. A security issue exists where an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host system. The retrieveWorkspace function extracts tar entries without validating that paths remain within the workspace, enabling path traversal through the use of '../' sequences.

Recommendations Update to version 0.40.3 or later.