CVE-2026-54174High· 8.3▾ Twilightmelange: Incomplete package integrity verification allows data section substitution
▾ Twilight zone — High severity, or a signal on a lesser flaw
impact 45.7 · likelihood 0 · exploitation 0
Need a working PoC? Pro members can cast a request and our team develops one — it lands right here.
Previously, Apko verified the control section hash (.PKGINFO etc.) against the signed APKINDEX, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file contents while the control hash check still passed.
chainguard.dev/apko < 1.2.9chainguard.dev/melange < 0.50.4Upgrade to a patched release:
chainguard.dev/apko 1.2.9chainguard.dev/melange 0.50.4Connected by shared product, vendor, weakness, or advisory.
CVE-2026-3012High· 8.0A flaw was found in Samba’s certificate auto-enrollment Group Policy handling
CVE-2026-26007Medium· 6.5cryptography is a package designed to expose cryptographic primitives and recipes to Python developers
CVE-2026-49834Medium· 5.9sigstore-go has a multi-log threshold bypass via single compromised log
CVE-2026-48096Medium· 5.0OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning
CVE-2026-55430Medium· 5.8Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
CVE-2026-44937High· 7.5Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components