Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : opam vulnerability (USN-8256-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8256-1 advisory. Andrew Nesbitt discovered that opam did not properly validate file destination paths in package install files. An...

USN-8256-1: opam vulnerability

Andrew Nesbitt discovered that opam did not properly validate file destination paths in package install files. An attacker could use this issue to bypass sandbox protections and write files to arbitrary locations, possibly leading to arbitrary code execution...

MGASA-2026-0116 Updated opam packages fix security vulnerability

In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory. CVE-2026-41082...

Updated opam packages fix security vulnerability

In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory. CVE-2026-41082...

PT-2026-39181

Andrew Nesbitt discovered that opam did not properly validate file destination paths in package install files. An attacker could use this issue to bypass sandbox protections and write files to arbitrary locations, possibly leading to arbitrary code execution...

FreeBSD : devel/ocaml-opam -- CWE-24 Path Traversal: '../filedir' (9b5d6fbb-4893-11f1-82bf-3c7c3fba4204)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 9b5d6fbb-4893-11f1-82bf-3c7c3fba4204 advisory. https://github.com/ocaml/opam/releases/tag/2.5.1 reports: In OCaml opam before 2.5.1, a .install field...

Fedora 42 : opam (2026-301505f38f)

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-301505f38f advisory. See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version 2.5.1. Tenable has extracted the preceding description block directly from the...

[SECURITY] Fedora 44 Update: opam-2.5.1-1.fc44

Opam is a source-based package manager for OCaml. It supports multiple simultaneous compiler installations, flexible package constraints, and a Git-friendly development workflow...

[SECURITY] Fedora 43 Update: opam-2.5.1-1.fc43

Opam is a source-based package manager for OCaml. It supports multiple simultaneous compiler installations, flexible package constraints, and a Git-friendly development workflow...

[SECURITY] Fedora 42 Update: opam-2.5.1-1.fc42

Opam is a source-based package manager for OCaml. It supports multiple simultaneous compiler installations, flexible package constraints, and a Git-friendly development workflow...

Fedora 43 : opam (2026-42ff51d2c7)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-42ff51d2c7 advisory. See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version 2.5.1. Tenable has extracted the preceding description block directly from the...

Fedora 44 : opam (2026-afe659aa4d)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-afe659aa4d advisory. See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version 2.5.1. Tenable has extracted the preceding description block directly from the...

Security update for ocaml-patch, opam (moderate)

openSUSE Security Update: Security update for ocaml-patch, opam Announcement ID: openSUSE-SU-2026:0145-1 Rating: moderate References: 1262281 Cross-References: CVE-2026-41082 CVSS scores: CVE-2026-41082 SUSE: 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Affected Products:...

[SECURITY] [DLA 4541-1] opam security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-4541-1 [email protected] https://www.debian.org/lts/security/ Emilio Pozuelo Monfort April 21, 2026 https://wiki.debian.org/LTS -...

Debian dla-4541 : opam - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4541 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4541-1 [email protected] https://www.debian.org/lts/security/...

Debian dsa-6216 : opam - security update

The remote Debian 12 / 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6216 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6216-1 [email protected] https://www.debian.org/security/...

opam-2.5.1-1.1 on GA media (moderate)

opam-2.5.1-1.1 on GA media Announcement ID: openSUSE-SU-2026:10568-1 Rating: moderate Cross-References: CVE-2026-41082 CVSS scores: CVE-2026-41082 SUSE : 5.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2026-41082 SUSE : 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N...

SUSE CVE-2026-41082

In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory...

CVE-2026-41082

A flaw was found in OCaml opam. A malicious package containing a crafted .install field with directory traversal sequences allows an attacker to write files to arbitrary locations, potentially overwriting system files and causing arbitrary code execution. Mitigation To mitigate this vulnerability...

[SECURITY] [DSA 6216-1] opam security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6216-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 17, 2026 https://www.debian.org/security/faq -...