CVE-2026-32146

🗓️ 11 Apr 2026 12:59:22Reported by EEFType

Improper path validation in Gleam git dependency handling allows arbitrary filesystem modification during dependency download.

Reporter	Title	Published	Views	Family All 12
ATTACKERKB	CVE-2026-32146	11 Apr 202612:59	–	attackerkb
AlpineLinux	CVE-2026-32146	11 Apr 202612:59	–	alpinelinux
Circl	CVE-2026-32146	11 Apr 202616:07	–	circl
CNNVD	gleam 安全漏洞	11 Apr 202600:00	–	cnnvd
Cvelist	CVE-2026-32146 Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification	11 Apr 202612:59	–	cvelist
EUVD	EUVD-2026-21680	11 Apr 202612:59	–	euvd
NVD	CVE-2026-32146	11 Apr 202614:16	–	nvd
OSV	EEF-CVE-2026-32146 Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification	11 Apr 202612:59	–	osv
Positive Technologies	PT-2026-32098	11 Apr 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-32146	13 Apr 202610:40	–	redhatcve

NVD

CNA

Node

lpil gleamRange1.9.0–1.15.4

[
  {
    "cpes": [
      "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "modules": [
      "compiler-core"
    ],
    "packageName": "gleam",
    "packageURL": "pkg:sid/gleam.run/gleam",
    "product": "Gleam",
    "programFiles": [
      "compiler-core/src/config.rs",
      "compiler-core/src/manifest.rs"
    ],
    "programRoutines": [
      {
        "name": "compiler_core::config::dependencies_map::deserialize"
      },
      {
        "name": "compiler_core::config::package_name::deserialize"
      }
    ],
    "vendor": "Gleam",
    "versions": [
      {
        "changes": [
          {
            "at": "1.15.4",
            "status": "unaffected"
          }
        ],
        "lessThan": "*",
        "status": "affected",
        "version": "1.9.0-rc1",
        "versionType": "semver"
      }
    ]
  },
  {
    "collectionURL": "https://github.com",
    "cpes": [
      "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "modules": [
      "compiler-core"
    ],
    "packageName": "gleam-lang/gleam",
    "packageURL": "pkg:github/gleam-lang/gleam",
    "product": "Gleam",
    "programFiles": [
      "compiler-core/src/config.rs",
      "compiler-core/src/manifest.rs"
    ],
    "programRoutines": [
      {
        "name": "compiler_core::config::dependencies_map::deserialize"
      },
      {
        "name": "compiler_core::config::package_name::deserialize"
      }
    ],
    "repo": "https://github.com/gleam-lang/gleam",
    "vendor": "Gleam",
    "versions": [
      {
        "changes": [
          {
            "at": "1.15.4",
            "status": "unaffected"
          }
        ],
        "lessThan": "*",
        "status": "affected",
        "version": "1.9.0-rc1",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "92aae3913570e8d8962f6399404777d313045bfa",
            "status": "unaffected"
          },
          {
            "at": "2dc0467f822c75de94697a912755d172928ee40a",
            "status": "unaffected"
          }
        ],
        "lessThan": "*",
        "status": "affected",
        "version": "a4fde22445ab8e5cc79c2ff48971616cb570702c",
        "versionType": "git"
      }
    ]
  },
  {
    "collectionURL": "https://ghcr.io",
    "cpes": [
      "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "modules": [
      "compiler-core"
    ],
    "packageName": "gleam-lang/gleam",
    "packageURL": "pkg:oci/gleam?repository_url=ghcr.io/gleam-lang",
    "product": "Gleam",
    "programFiles": [
      "compiler-core/src/config.rs",
      "compiler-core/src/manifest.rs"
    ],
    "programRoutines": [
      {
        "name": "compiler_core::config::dependencies_map::deserialize"
      },
      {
        "name": "compiler_core::config::package_name::deserialize"
      }
    ],
    "vendor": "Gleam",
    "versions": [
      {
        "lessThan": "v1.15.4-elixir",
        "status": "affected",
        "version": "v1.9.0-rc1-elixir",
        "versionType": "other"
      },
      {
        "lessThan": "v1.15.4-erlang",
        "status": "affected",
        "version": "v1.9.0-rc1-erlang",
        "versionType": "other"
      },
      {
        "lessThan": "v1.15.4-node",
        "status": "affected",
        "version": "v1.9.0-rc1-node",
        "versionType": "other"
      },
      {
        "lessThan": "v1.15.4-node-slim",
        "status": "affected",
        "version": "v1.9.0-rc1-node-slim",
        "versionType": "other"
      },
      {
        "lessThan": "v1.15.4-elixir-slim",
        "status": "affected",
        "version": "v1.9.0-rc1-elixir-slim",
        "versionType": "other"
      },
      {
        "lessThan": "v1.15.4-erlang-slim",
        "status": "affected",
        "version": "v1.9.0-rc1-erlang-slim",
        "versionType": "other"
      },
      {
        "lessThan": "v1.15.4-erlang-alpine",
        "status": "affected",
        "version": "v1.9.0-rc1-erlang-alpine",
        "versionType": "other"
      },
      {
        "lessThan": "v1.15.4-elixir-alpine",
        "status": "affected",
        "version": "v1.9.0-rc1-elixir-alpine",
        "versionType": "other"
      },
      {
        "lessThan": "v1.15.4-node-alpine",
        "status": "affected",
        "version": "v1.9.0-rc1-node-alpine",
        "versionType": "other"
      },
      {
        "lessThan": "v1.15.4-scratch",
        "status": "affected",
        "version": "v1.9.0-rc1-scratch",
        "versionType": "other"
      }
    ]
  }
]

Source	Link
github	www.github.com/gleam-lang/gleam/commit/1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf
github	www.github.com/gleam-lang/gleam/commit/2dc0467f822c75de94697a912755d172928ee40a
osv	www.osv.dev/vulnerability/EEF-CVE-2026-32146
github	www.github.com/gleam-lang/gleam/security/advisories/GHSA-vq5j-55vx-wq8j
cna	www.cna.erlef.org/cves/CVE-2026-32146.html

17 Jun 2026 10:35Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.17.8

CVSS 48.3

EPSS0.00239

SSVC

CWE-22