Supply Chain Compromise Risk in Malcontent Software by Chainguard
CVE-2026-28407

6.9MEDIUM

Key Information:

Vendor

Chainguard-dev

Status
Malcontent
Vendor
CVE Published:
27 February 2026

What is CVE-2026-28407?

Malcontent software, designed for identifying supply-chain compromises, has a security flaw prior to version 1.21.0 that affects its handling of nested archives. When these archives fail to extract, they may be removed, potentially leaving behind malicious content undetected. This vulnerability compromises the software's ability to effectively scan and analyze archive bytes for threats. The recommended update to version 1.21.0 resolves this issue by ensuring that these archives are preserved, allowing for a more thorough analysis and enhancing the overall security posture of users relying on malcontent.

Affected Version(s)

malcontent < 1.21.0

References

https://github.com/chainguard-dev/malcontent/security/adv...
x_refsource_CONFIRM
https://github.com/chainguard-dev/malcontent/pull/1383
x_refsource_MISC
https://github.com/chainguard-dev/malcontent/commit/356c5...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.