CVE-2026-28407

UNKNOWN 0.0

malcontent's nested archive extraction failure can drop content from scan inputs

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior to version 1.21.0, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to preserve these archives so that malcontent can attempt a best-effort scan of the archive bytes. Version 1.21.0 fixes the issue.

CWE	CWE-703
Vendor	chainguard-dev
Product	malcontent
Published	Feb 27, 2026
Last Updated	Mar 2, 2026

Stay Ahead of the Next One

Get instant alerts for chainguard-dev malcontent

Be the first to know when new unknown vulnerabilities affecting chainguard-dev malcontent are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

chainguard-dev / malcontent

< 1.21.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-945p-3jhm-6rcp github.com: https://github.com/chainguard-dev/malcontent/pull/1383 github.com: https://github.com/chainguard-dev/malcontent/commit/356c56659ccfcad0b249a97de8cf71f151ed3ee9