CVE-2026-29049 - melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI

CVE ID : CVE-2026-29049 Published : March 6, 2026, 7:16 a.m. | 43 minutes ago Description : melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available. Severity: 4.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...