2 matches found
CVE-2026-42795
Gleam: Symlink following in Hex package export vulnerability (CVE-2026-42795) allows embedding files outside the project root into the generated Hex package. Root cause: file collection in compiler-cli/src/fs.rs uses follow_links(true) for publishable directories (e.g., src/, priv/) and add_path_...
CVE-2026-42795 Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root
Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball. The file collection helpers gleamfiles, nativefiles, privatefiles in compiler-cli/src/fs.rs use followlinkstrue when walking publishable directories...