GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
5 advisories
`melange update-cache` has unbounded HTTP download that can exhaust disk in CI
Moderate
CVE-2026-29049
was published
for
chainguard.dev/melange
(Go)
Mar 2, 2026
melange has a path traversal in license-path which allows reading files outside workspace
Moderate
CVE-2026-25145
was published
for
chainguard.dev/melange
(Go)
Feb 4, 2026
apko affected by unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams
Moderate
CVE-2026-25122
was published
for
chainguard.dev/apko
(Go)
Feb 3, 2026
malcontent vulnerable to symlink Path Traversal via handleSymlink argument confusion in archive extraction
Moderate
CVE-2026-24846
was published
for
github.com/chainguard-dev/malcontent
(Go)
Jan 29, 2026
malcontent OCI image pull credential exfiltration via malicious registry token realm
Moderate
CVE-2026-24845
was published
for
github.com/chainguard-dev/malcontent
(Go)
Jan 29, 2026
ProTip!
Advisories are also available from the
GraphQL API