GO-2026-4588 — Vulnetix

GO-2026-4588 PUBLISHED

`melange update-cache` has unbounded HTTP download that can exhaust disk in CI in chainguard.dev/melange

Affected Products

Vendor	Product	Versions
chainguard.dev	melange	0, 0

Timeline

Mar 10, 2026 CVE Published
Mar 23, 2026 CVE Updated

References

https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc advisory

Open in Interactive Console →

$ Console Community · 100/wk Open console ›