Search CVE reports

Toggle filters

1 – 10 of 14 results

CVE-2026-5223

Medium priority
Needs evaluation

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability...

19 affected packages

rustc, rustc-1.62, rustc-1.74, rustc-1.76, rustc-1.77...

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
rustc Not in release Needs evaluation Needs evaluation Needs evaluation Needs evaluation
rustc-1.62 Not in release Not in release Needs evaluation
rustc-1.74 Not in release Needs evaluation Not in release
rustc-1.76 Not in release Needs evaluation Needs evaluation Needs evaluation
rustc-1.77 Not in release Needs evaluation Needs evaluation Needs evaluation
rustc-1.78 Not in release Needs evaluation Needs evaluation Needs evaluation
rustc-1.79 Not in release Needs evaluation Needs evaluation Needs evaluation
rustc-1.80 Not in release Needs evaluation Needs evaluation Needs evaluation
rustc-1.81 Not in release Needs evaluation Needs evaluation
rustc-1.82 Not in release Needs evaluation Needs evaluation
rustc-1.83 Not in release Needs evaluation Needs evaluation
rustc-1.84 Not in release Needs evaluation Needs evaluation
rustc-1.85 Not in release Needs evaluation Needs evaluation
rustc-1.88 Not in release Not in release Not in release
rustc-1.89 Not in release Needs evaluation Needs evaluation
rustc-1.91 Needs evaluation Needs evaluation Needs evaluation
rustc-1.92 Needs evaluation Not in release Not in release
rustc-1.93 Needs evaluation Not in release Not in release
cargo Not in release Not in release Needs evaluation Needs evaluation Needs evaluation
Show all 19 packages Show less packages

CVE-2026-5222

Medium priority
Needs evaluation

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an...

19 affected packages

rustc, rustc-1.62, rustc-1.74, rustc-1.76, rustc-1.77...

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
rustc Not in release Needs evaluation Needs evaluation Needs evaluation Needs evaluation
rustc-1.62 Not in release Not in release Needs evaluation
rustc-1.74 Not in release Needs evaluation Not in release
rustc-1.76 Not in release Needs evaluation Needs evaluation Needs evaluation
rustc-1.77 Not in release Needs evaluation Needs evaluation Needs evaluation
rustc-1.78 Not in release Needs evaluation Needs evaluation Needs evaluation
rustc-1.79 Not in release Needs evaluation Needs evaluation Needs evaluation
rustc-1.80 Not in release Needs evaluation Needs evaluation Needs evaluation
rustc-1.81 Not in release Needs evaluation Needs evaluation
rustc-1.82 Not in release Needs evaluation Needs evaluation
rustc-1.83 Not in release Needs evaluation Needs evaluation
rustc-1.84 Not in release Needs evaluation Needs evaluation
rustc-1.85 Not in release Needs evaluation Needs evaluation
rustc-1.88 Not in release Not in release Not in release
rustc-1.89 Not in release Needs evaluation Needs evaluation
rustc-1.91 Needs evaluation Needs evaluation Needs evaluation
rustc-1.92 Needs evaluation Not in release Not in release
rustc-1.93 Needs evaluation Not in release Not in release
cargo Not in release Not in release Needs evaluation Needs evaluation Needs evaluation
Show all 19 packages Show less packages

CVE-2026-33056

Medium priority

Some fixes available 34 of 53

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a...

23 affected packages

rust-tar, rustc, rustc-1.62, rustc-1.74, rustc-1.76...

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
rust-tar Not affected Fixed Fixed Needs evaluation
rustc Not in release Fixed Fixed Needs evaluation Needs evaluation
rustc-1.62 Not in release Not in release Fixed
rustc-1.74 Not in release Fixed Not in release
rustc-1.76 Not in release Fixed Fixed Needs evaluation
rustc-1.77 Not in release Fixed Fixed Needs evaluation
rustc-1.78 Not in release Fixed Fixed Needs evaluation
rustc-1.79 Not in release Fixed Fixed Needs evaluation
rustc-1.80 Not in release Fixed Fixed Needs evaluation
rustc-1.81 Not in release Fixed Fixed
rustc-1.82 Not in release Fixed Fixed
rustc-1.83 Not in release Fixed Fixed
rustc-1.84 Not in release Fixed Fixed
rustc-1.85 Not in release Fixed Fixed
rustc-1.88 Not in release Not in release Not in release
rustc-1.89 Not in release Fixed Fixed
rustc-1.91 Not affected Fixed Fixed
rustc-1.92 Not affected Not in release Not in release
rustc-1.93 Not affected Not in release Not in release
cargo Not in release Not in release Needs evaluation Needs evaluation Needs evaluation
rust-cargo-c Not affected Needs evaluation Not in release
rust-async-tar Not in release Needs evaluation Not in release
rust-astral-tokio-tar Needs evaluation Not in release Not in release
Show all 23 packages Show less packages

CVE-2024-43402

Medium priority
Not affected

Rust is a programming language. The fix for CVE-2024-24576, where `std::process::Command` incorrectly escaped arguments when invoking batch files on Windows, was incomplete. Prior to Rust version 1.81.0, it was possible to bypass...

2 affected packages

rustc, cargo

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
rustc Not affected Not affected Not affected Not affected
cargo Not in release Not affected Not affected Not affected
Show less packages

CVE-2024-24576

Negligible priority
Not affected

Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on...

2 affected packages

rustc, cargo

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
rustc Not affected Not affected Not affected
cargo Not affected Not affected Not affected
Show less packages

CVE-2023-40030

Medium priority

Some fixes available 1 of 7

Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by `cargo build --timings`. A...

2 affected packages

cargo, rustc

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
cargo Not in release Not in release Needs evaluation Needs evaluation Needs evaluation
rustc Not in release Fixed Not affected Not affected Not affected
Show less packages

CVE-2023-38497

Medium priority

Some fixes available 6 of 11

Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If...

3 affected packages

rust-cargo, rustc, cargo

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
rust-cargo Not affected Vulnerable Fixed Not in release Ignored
rustc Not in release Fixed Not affected Not affected Not affected
cargo Not in release Not in release Fixed Fixed Fixed
Show less packages

CVE-2022-46176

Medium priority

Some fixes available 4 of 7

Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to...

2 affected packages

cargo, rust-cargo

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
cargo Not in release Not in release Fixed Fixed Vulnerable
rust-cargo Not affected Not affected Vulnerable Not in release Not in release
Show less packages

CVE-2022-36114

Low priority

Some fixes available 3 of 5

Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted...

1 affected package

cargo

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
cargo Not in release Not in release Fixed Fixed Vulnerable
Show less packages

CVE-2022-36113

Low priority

Some fixes available 3 of 5

Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an...

1 affected package

cargo

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
cargo Not in release Not in release Fixed Fixed Vulnerable
Show less packages
  1. Previous page
  2. 1
  3. 2
  4. Next page
Export to JSON