3466 matches found
RUSTSEC-2026-0059 `tokio-tcp` is unmaintained
The tokio-tcp crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
`tokio-udp` is unmaintained
The tokio-udp crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
`tokio-sync` is unmaintained
The tokio-sync crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
`tokio-executor` is unmaintained
The tokio-executor crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
RUSTSEC-2026-0064 `tokio-udp` is unmaintained
The tokio-udp crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
RUSTSEC-2026-0050 `tokio-uds` is unmaintained
The tokio-uds crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
UBUNTU-CVE-2026-33056
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpackdir function uses fs::metadata to check whether a path that already exists is a directory. Because fs::metadata follows symbolic links, a crafted tarball...
CVE-2026-33055
tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the...
CVE-2026-33056
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpackdir function uses fs::metadata to check whether a path that already exists is a directory. Because fs::metadata follows symbolic links, a crafted tarball...
CVE-2026-33055
tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the...
RUSTSEC-2026-0068 tar-rs incorrectly ignores PAX size headers if header size is nonzero
Versions 0.4.44 and below of tar-rs have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518astral-cve, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the...
RUSTSEC-2026-0040 `tracing-ethers` was removed from crates.io due to malicious code
The tracing-ethers crate attempted to exfiltrate ssh keys to an app hosted on vercel.app The malicious crate had 9 version published on 2026-03-09 approximately 5 days before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io. Thanks to the...
`tracing-ethers` was removed from crates.io due to malicious code
The tracing-ethers crate attempted to exfiltrate ssh keys to an app hosted on vercel.app The malicious crate had 9 version published on 2026-03-09 approximately 5 days before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io. Thanks to the...
RUSTSEC-2026-0174 `Authorization::value` and `WwwAuthenticate::value` can violate ASCII invariants
Authorization::value uses HeaderValue::value with the claim that the internal string is ASCII, but Authorization::new and Authorization::setcredentials accept arbitrary String credentials without validation. As a result, safe code can construct a header value containing non-ASCII UTF-8 while the...
`chrono_anchor` was removed from crates.io due to malicious code
The chronoanchor crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. The malicious crate had 1 version published on 2026-03-04 approximately 6 days before removal and had no evidence of actual downloads. There were no crates...
Amazon Linux 2023 : firefox (ALAS2023-2026-1445)
It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1445 advisory. time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack...
Amazon Linux 2 : thunderbird, --advisory ALAS2-2026-3177 (ALAS-2026-3177)
The version of thunderbird installed on the remote host is prior to 140.7.1-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3177 advisory. time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type...
GHSA-MH23-RW7F-V5PQ `time-sync` was removed from crates.io due to malicious code
The time-sync crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. This the same attack that we've seen three times in the last few days. The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before...
GHSA-XHW7-JHMP-J62J `dnp3times` was removed from crates.io due to malicious code
The dnp3times crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. It was loosely trying to typosquat the dnp3time crate, but otherwise was the same attack as the recent timecalibrator and timecalibrators malware. The malicious cra...
`dnp3times` was removed from crates.io due to malicious code
The dnp3times crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. It was loosely trying to typosquat the dnp3time crate, but otherwise was the same attack as the recent timecalibrator and timecalibrators malware. The malicious cra...