Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : opam vulnerability (USN-8256-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8256-1 advisory. Andrew Nesbitt discovered that opam did not properly validate file destination paths in package install files. An...

USN-8256-1: opam vulnerability

Andrew Nesbitt discovered that opam did not properly validate file destination paths in package install files. An attacker could use this issue to bypass sandbox protections and write files to arbitrary locations, possibly leading to arbitrary code execution...

MGASA-2026-0116 Updated opam packages fix security vulnerability

In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory. CVE-2026-41082...

PT-2026-39181

Andrew Nesbitt discovered that opam did not properly validate file destination paths in package install files. An attacker could use this issue to bypass sandbox protections and write files to arbitrary locations, possibly leading to arbitrary code execution...

Fedora 44 : opam (2026-afe659aa4d)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-afe659aa4d advisory. See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version 2.5.1. Tenable has extracted the preceding description block directly from the...

Fedora 43 : opam (2026-42ff51d2c7)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-42ff51d2c7 advisory. See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version 2.5.1. Tenable has extracted the preceding description block directly from the...

CVE-2026-41082

In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory...