CVE-2026-5223

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io a...

CVE-2026-5222 Cargo can be coerced to share credentials between registries

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the...

Cargo 安全漏洞

Cargo is a Rust package manager open-sourced by The Rust Programming Language. A security vulnerability exists in Cargo versions 1.68 through 1.96, which stems from a misnormalization of third-party registry URLs that use the sparse indexing protocol, where an attacker who is able to publish crat...

Cargo 安全漏洞

Cargo is a Rust package manager open-sourced by The Rust Programming Language. A security vulnerability exists in Cargo that stems from the incorrect handling of symbolic links in a crate tarball downloaded from a third-party registry, which could lead to a malicious crate overwriting the source...

Security Bulletin: Cargo in IBM Open SDK for Rust on AIX uses a vulnerable version of openssl (CVE-2026-41676, CVE-2026-41677, CVE-2026-41678, CVE-2026-41681)

Summary The cargo package manager in IBM Open SDK for Rust on AIX 1.90.0.1 and 1.92.0.1 uses versions 0.10.73 and 0.10.74 of the openssl crate, which provides Rust bindings for the OpenSSL library. Several security-related bugs, such as buffer overflows, were identified in these versions of the...

USN-8139-1 rust-cargo-c vulnerability

It was discovered that tar-rs embedded in cargo-c incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside th...

EUVD-2023-0541

Malicious code in bioql PyPI...

EUVD-2023-2308

Malicious code in bioql PyPI...

OESA-2025-1237 rust security update

Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. This package includes the Rust compiler and documentation generator. Security Fixes: Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not...

OESA-2024-1811 rust security update

Rust is a systems programming language focused on three goals:safety, speed,and concurrency.It maintains these goals without having a garbage collector, making it a useful language for a number of use cases other languages are not good at: embedding in other languages, programs with specific spac...

rust-cargo: cargo does not respect the umask when extracting dependencies

A flaw was found in the rust-cargo package. Cargo, as bundled with the Rust compiler, did not respect the umask when extracting dependency tarballs and caching the extraction for future builds. If a dependency contained files with 0777 permissions, another local user could edit the cache of the...

Important: rust

Issue Overview: Cargo downloads the Rust project's dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files...

USN-6275-1 cargo, rust-cargo vulnerability

Addison Crump discovered that Cargo incorrectly set file permissions on UNIX-like systems when extracting crate archives. If the crate would contain files writable by any user, a local attacker could possibly use this issue to execute code as another user...

USN-6275-1: Cargo vulnerability

Addison Crump discovered that Cargo incorrectly set file permissions on UNIX-like systems when extracting crate archives. If the crate would contain files writable by any user, a local attacker could possibly use this issue to execute code as another user...

Cargo security breach

Cargo is a Rust package manager open-sourced by The Rust Programming Language. A security vulnerability exists in versions of Cargo prior to 0.72.2, which stems from the fact that on UNIX-like systems, Cargo does not take into account the umask setting when extracting crate archives...

Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM : Cargo vulnerability (USN-6275-1)

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM host has packages installed that are affected by a vulnerability as referenced in the USN-6275-1 advisory. Addison Crump discovered that Cargo incorrectly set file permissions on UNIX-like systems when extracting crate archives. If t...

Medium: rust

Issue Overview: Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the /.cargo folder on disk, making it available to the Rust projects it builds. To reco rd when an extraction is successful, Cargo writes "ok" to the...

SUSE CVE-2022-36113

Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the /.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the...

SUSE CVE-2022-46176

Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle MITM attacks. This vulnerability has been assigned...

DEBIAN-CVE-2022-46176

Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle MITM attacks. This vulnerability has been assigned...