melange's world-writable permissions expose SBOM files to potential image tampering in chainguard.dev/melange
{ "review_status": "UNREVIEWED", "url": "https://pkg.go.dev/vuln/GO-2025-3815" }