CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution

highCVSS 8.3CVE-2026-54174
Previously, Apko verified the control section hash (.PKGINFO etc.) against the signed APKINDEX, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file contents while the control hash check still passed.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 8.3
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-fpg8-7664-jc5q

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-54174coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories