CVE-2026-43965

🗓️ 02 Jun 2026 13:41:37Reported by EEFType

cve🔗 web.nvd.nist.gov👁 38 Views🌐 WEB

Gleam path traversal in build/packages/packages.toml allows arbitrary directory deletion via deletion.

Reporter	Title	Published	Views	Family All 13
ATTACKERKB	CVE-2026-43965	2 Jun 202613:41	–	attackerkb
Circl	CVE-2026-43965	5 Jun 202609:52	–	circl
CNNVD	gleam 安全漏洞	2 Jun 202600:00	–	cnnvd
Cvelist	CVE-2026-43965 Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion	2 Jun 202613:41	–	cvelist
EUVD	EUVD-2026-33926	2 Jun 202613:41	–	euvd
NVD	CVE-2026-43965	2 Jun 202614:16	–	nvd
OPENSUSE Linux	gleam-1.17.0-1.1 on GA media (moderate)	8 Jun 202600:00	–	opensuse
OSV	EEF-CVE-2026-43965 Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion	2 Jun 202613:41	–	osv
OSV	OPENSUSE-SU-2026:10953-1 gleam-1.17.0-1.1 on GA media	4 Jun 202600:00	–	osv
Positive Technologies	PT-2026-45757	2 Jun 202600:00	–	ptsecurity

CNA

Node

gleam-lang gleamRange0.18.0-rc1–1.17.0

[
  {
    "cpes": [
      "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "modules": [
      "compiler-cli"
    ],
    "packageName": "gleam",
    "packageURL": "pkg:sid/gleam.run/gleam",
    "product": "Gleam",
    "programFiles": [
      "compiler-cli/src/dependencies.rs"
    ],
    "programRoutines": [
      {
        "name": "compiler_cli::dependencies::remove_extra_packages"
      },
      {
        "name": "compiler_cli::dependencies::LocalPackages::read_from_disc"
      },
      {
        "name": "compiler_cli::dependencies::LocalPackages::extra_local_packages"
      }
    ],
    "vendor": "Gleam",
    "versions": [
      {
        "lessThan": "1.17.0",
        "status": "affected",
        "version": "0.18.0-rc1",
        "versionType": "semver"
      }
    ]
  },
  {
    "collectionURL": "https://github.com",
    "cpes": [
      "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "modules": [
      "compiler-cli"
    ],
    "packageName": "gleam-lang/gleam",
    "packageURL": "pkg:github/gleam-lang/gleam",
    "product": "Gleam",
    "programFiles": [
      "compiler-cli/src/dependencies.rs"
    ],
    "programRoutines": [
      {
        "name": "compiler_cli::dependencies::remove_extra_packages"
      },
      {
        "name": "compiler_cli::dependencies::LocalPackages::read_from_disc"
      },
      {
        "name": "compiler_cli::dependencies::LocalPackages::extra_local_packages"
      }
    ],
    "repo": "https://github.com/gleam-lang/gleam",
    "vendor": "Gleam",
    "versions": [
      {
        "lessThan": "1.17.0",
        "status": "affected",
        "version": "0.18.0-rc1",
        "versionType": "semver"
      },
      {
        "lessThan": "690ca069817bee5f77a28fc3e360627c1da19291",
        "status": "affected",
        "version": "ed7aec0484f10d60978b63788c8a6497590855ab",
        "versionType": "git"
      }
    ]
  },
  {
    "collectionURL": "https://ghcr.io",
    "cpes": [
      "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "modules": [
      "compiler-cli"
    ],
    "packageName": "gleam-lang/gleam",
    "packageURL": "pkg:oci/gleam?repository_url=ghcr.io/gleam-lang",
    "product": "Gleam",
    "programFiles": [
      "compiler-cli/src/dependencies.rs"
    ],
    "programRoutines": [
      {
        "name": "compiler_cli::dependencies::remove_extra_packages"
      },
      {
        "name": "compiler_cli::dependencies::LocalPackages::read_from_disc"
      },
      {
        "name": "compiler_cli::dependencies::LocalPackages::extra_local_packages"
      }
    ],
    "vendor": "Gleam",
    "versions": [
      {
        "lessThan": "v1.17.0-elixir",
        "status": "affected",
        "version": "v0.18.0-rc1-elixir",
        "versionType": "other"
      },
      {
        "lessThan": "v1.17.0-erlang",
        "status": "affected",
        "version": "v0.18.0-rc1-erlang",
        "versionType": "other"
      },
      {
        "lessThan": "v1.17.0-node",
        "status": "affected",
        "version": "v0.18.0-rc1-node",
        "versionType": "other"
      },
      {
        "lessThan": "v1.17.0-node-slim",
        "status": "affected",
        "version": "v0.18.0-rc1-node-slim",
        "versionType": "other"
      },
      {
        "lessThan": "v1.17.0-elixir-slim",
        "status": "affected",
        "version": "v0.18.0-rc1-elixir-slim",
        "versionType": "other"
      },
      {
        "lessThan": "v1.17.0-erlang-slim",
        "status": "affected",
        "version": "v0.18.0-rc1-erlang-slim",
        "versionType": "other"
      },
      {
        "lessThan": "v1.17.0-erlang-alpine",
        "status": "affected",
        "version": "v0.18.0-rc1-erlang-alpine",
        "versionType": "other"
      },
      {
        "lessThan": "v1.17.0-elixir-alpine",
        "status": "affected",
        "version": "v0.18.0-rc1-elixir-alpine",
        "versionType": "other"
      },
      {
        "lessThan": "v1.17.0-node-alpine",
        "status": "affected",
        "version": "v0.18.0-rc1-node-alpine",
        "versionType": "other"
      },
      {
        "lessThan": "v1.17.0-scratch",
        "status": "affected",
        "version": "v0.18.0-rc1-scratch",
        "versionType": "other"
      }
    ]
  }
]

Source	Link
github	www.github.com/gleam-lang/gleam/commit/690ca069817bee5f77a28fc3e360627c1da19291
github	www.github.com/gleam-lang/gleam/security/advisories/GHSA-jqvf-f6p2-wrv3
cna	www.cna.erlef.org/cves/CVE-2026-43965.html
osv	www.osv.dev/vulnerability/EEF-CVE-2026-43965

Parameter	Position	Path	Description	CWE
package keys read from build/packages/packages.toml	path	build/packages/packages.toml	Path traversal vulnerability due to unvalidated keys used to build filesystem paths leading to potential arbitrary directory deletion.	CWE-22
malicious attacker-controlled keys	path	build/packages/packages.toml	Path traversal vulnerability due to unvalidated keys used to build filesystem paths leading to potential arbitrary directory deletion.	CWE-22

17 Jun 2026 10:50Current

5.9Medium risk

Vulners AI Score5.9

CVSS 45.6

EPSS0.00152

SSVC

CWE-22