CVE-2026-44471

gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to. During checkout, all symlink index entries...

gix-fs: Symlink prefix-reuse allows worktree escape during checkout

Summary A malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to. Details During checkout, all symlink index entries are deferred and created after regular files using a...

PT-2026-38320

Name of the Vulnerable Software and Affected Versions gitoxide versions prior to 0.21.1 Description A malicious tree can be constructed that, when checked out, allows writing an attacker-controlled symlink into any directory where the user has write access. This occurs because gix fs::Stack::make...

steal user funds with front-running when he calls depositTokens() of MerkleVesting and MerkleResistor with wrong treeIndex (uninitiated)

Lines of code Vulnerability details Impact This nature of this bug is similar in MerkleVesting and MerkleResistor and MerkleDropFactory, so I only write MerkleDropFactory version: If a user calls depositTokens with wrong treeIndex value by mistake, attacker can perform front-running attack and...