RUSTSEC-2026-0178 Panic on a `DataRow` with fewer fields than columns allows denial of service

A malicious or compromised server can send a row containing fewer fields than its row description declares columns. Reading one of the missing columns then panics with an out-of-bounds index, aborting the calling task. This affects even the otherwise non-panicking tryget, and both Row and...

ate (>=0.1.0 <=0.8.0), ate-auth (>=1.1.0 <=1.6.0) +67 more potentially affected by unknown CVE via pqcrypto-internals (>=0.1.0 <=0.2.11)

pqcrypto-internals CARGO version =0.1.0, =0.1.0, =1.1.0, =1.0.0, =1.1.0, =2.0.0, =0.1.2-alpha, =0.1.4, =0.1.1, =0.1.0, =0.1.1, =0.1.0, =0.1.2 - envencryptiontool =0.9.17 - ever-crypto =0.1.0 - hanzo-agentic =1.1.21 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0163...

dicom-transfer-syntax-registry (>=0.8.2 <=0.9.1), dset (>=0.1.0 <=0.1.2) +10 more potentially affected by unknown CVE via jxl-grid (>=0.1.1 <=0.5.3)

jxl-grid CARGO version =0.1.1, =0.8.2, =0.1.0, =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.4.0, =0.5.0-rc0 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0151...

PT-2026-42815

Name of the Vulnerable Software and Affected Versions wasmtime-wasi affected versions not specified Description An access control mechanism bypass exists when a filesystem preopen is configured with DirPerms::all and FilePerms::READ without FilePerms::WRITE. This allows bypassing restrictions by...

IMAPServer (=0.2.0), IMAPServer-cli (=0.1.0) +369 more potentially affected by unknown CVE via diesel (>=0.10.1 <=2.3.4)

diesel CARGO version =0.10.1, =0.1.0, =0.1.0, =0.1.0, =0.4.0, =0.1.4, =0.1.11, =0.1.0, =0.5.0, =0.1.0, =0.1.2 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0137...

RUSTSEC-2026-0108 `sui-execution-cut` was removed from crates.io for malicious code

sui-execution-cut included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

hickory-server (>=0.24.0 <=0.25.0-alpha.1) potentially affected by unknown CVE via hickory-recursor (>=0.24.4 <=0.25.0-alpha.1)

hickory-recursor CARGO version =0.24.4, =0.24.0, =0.25.0-alpha.1 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0106...

air-interpreter-cid (>=0.1.0 <=0.4.0), bellscoin (>=0.28.2 <=0.31.0) +48 more potentially affected by unknown CVE via core2 (>=0.3.3 <=0.4.0)

core2 CARGO version =0.3.3, =0.1.0, =0.28.2, =0.7.0, =2.3.0, =0.1.4, =0.3.0, =0.1.2, =2.1.0, =22.9.29 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0105...

Data leakage between pooling allocator instances

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-6wgr-89rj-399p For more information see the GitHub-hosted security advisory...

pqc-combo (=0.1.0), pqc-fips (=0.0.3) +1 more potentially affected by unknown CVE via libcrux-ml-dsa (=0.0.4)

libcrux-ml-dsa CARGO version =0.0.4 is affected by a known vulnerability. The following packages have a transitive dependency on libcrux-ml-dsa and may be impacted: - pqc-combo =0.1.0 - pqc-fips =0.0.3 - pqc-nostd =0.1.0 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0077...

RUSTSEC-2026-0027 `tracings` was removed from crates.io for malicious code

This is part of an ongoing campaign to attempt to typosquat crates in an attempt to exfiltrate Polymarket credentials. The malicious crate had 1 version published on 2026-02-26 approximately 9 hours before removal and had no evidence of actual usage. The only crate depending on this crate was the...

hpke-rs (>=0.1.0-pre.1 <=0.1.0-pre.2), openmls (>=0.4.0-pre.1 <=0.4.0-pre.2) +2 more potentially affected by unknown CVE via hpke-rs-rust-crypto (=0.1.1)

hpke-rs-rust-crypto CARGO version =0.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on hpke-rs-rust-crypto and may be impacted: - hpke-rs =0.1.0-pre.1, =0.4.0-pre.1, =0.1.0, =0.3.0, =0.9.0 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-00...

PT-2026-6355

Details In the unique reclaim path of BytesMut::reserve, the condition rs if v capacity = new cap + offset uses an unchecked addition. When new cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual...

CVE-2021-27671

An issue was discovered in the comrak crate before 0.9.1 for Rust. XSS can occur because the protection mechanism for data: and javascript: URIs is case-sensitive, allowing for example Data: to be used in an attack...

acme-compilers (>=0.2.2 <=0.2.4), acvm (>=0.23.0 <=0.26.1) +286 more potentially affected by unknown CVE via rkyv (>=0.1.1 <=0.7.45)

rkyv CARGO version =0.1.1, =0.2.2, =0.23.0, =0.23.0, =0.0.1, =0.2.0, =0.39.0, =0.23.0, =0.26.1 - cairn-import-geonames =0.0.2-alpha - cairn-import-oa =0.0.2-alpha - cairn-import-osm =0.0.2-alpha - cairn-import-wof =0.0.2-alpha and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-00...

PT-2026-4735

Name of the Vulnerable Software and Affected Versions gix-date affected versions not specified Description The gix date::parse::TimeBuf::as str function can produce strings with invalid, non-UTF8 characters. This breaks internal safety rules within the TimeBuf component, potentially causing...

Google Brings AirDrop Compatibility to Android's Quick Share Using Rust-Hardened Security

In a surprise move, Google on Thursday announced that it has updated Quick Share, its peer-to-peer file transfer service, to work with Apple's equipment AirDrop, allowing users to more easily share files and photos between Android and iPhone devices. The cross-platform sharing feature is currentl...

actix-web-opentelemetry (>=0.2.0 <=0.17.0), atomic-server (>=0.32.1 <=0.34.0) +39 more potentially affected by unknown CVE via opentelemetry-jaeger (>=0.10.0 <=0.9.0)

opentelemetry-jaeger CARGO version =0.10.0, =0.2.0, =0.32.1, =0.2.1, =4.1.0, =0.1.0, =0.4.0-prerelease1, =0.3.2, =0.2.0-rc-8, =0.2.0-rc-9, =0.2.0-rc-10, =0.2.0-rc, =0.1.0, =0.31.0, =0.1.0, =0.2.0 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0123...

tandem_garble_interop (>=0.1.0 <=0.3.0) potentially affected by unknown CVE via tandem (>=0.1.0 <=0.3.0)

tandem CARGO version =0.1.0, =0.1.0, =0.3.0 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0117...

apple-opensource-downloader (=0.1.0), async_bagit (>=0.1.0 <=0.2.0) +11 more potentially affected by CVE-2025-62518 via tokio-tar (=0.3.1)

tokio-tar CARGO version =0.3.1 is affected by a known vulnerability. The following packages have a transitive dependency on tokio-tar and may be impacted: - apple-opensource-downloader =0.1.0 - asyncbagit =0.1.0, =0.1.8, =0.8.0, =0.2.0, =0.1.0, =0.2.5, =0.4.0, =0.6.0, =0.12.0, =0.1.0,...