pqc-combo (=0.1.0), pqc-fips (=0.0.3) +1 more potentially affected by unknown CVE via libcrux-ml-dsa (=0.0.4)

libcrux-ml-dsa CARGO version =0.0.4 is affected by a known vulnerability. The following packages have a transitive dependency on libcrux-ml-dsa and may be impacted: - pqc-combo =0.1.0 - pqc-fips =0.0.3 - pqc-nostd =0.1.0 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0126...

IMAPServer (=0.2.0), IMAPServer-cli (=0.1.0) +368 more potentially affected by unknown CVE via diesel (>=0.10.1 <=2.3.4)

diesel CARGO version =0.10.1, =0.1.0, =0.1.0, =0.1.0, =0.4.0, =0.1.4, =0.1.11, =0.1.0, =0.5.0, =0.1.0, =0.1.2 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0137...

RUSTSEC-2026-0108 `sui-execution-cut` was removed from crates.io for malicious code

sui-execution-cut included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

hickory-server (>=0.24.0 <=0.25.0-alpha.1) potentially affected by unknown CVE via hickory-recursor (>=0.24.4 <=0.25.0-alpha.1)

hickory-recursor CARGO version =0.24.4, =0.24.0, =0.25.0-alpha.1 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0106...

pqc-combo (=0.1.0), pqc-fips (=0.0.3) +1 more potentially affected by unknown CVE via libcrux-ml-dsa (=0.0.4)

libcrux-ml-dsa CARGO version =0.0.4 is affected by a known vulnerability. The following packages have a transitive dependency on libcrux-ml-dsa and may be impacted: - pqc-combo =0.1.0 - pqc-fips =0.0.3 - pqc-nostd =0.1.0 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0077...

RUSTSEC-2026-0027 `tracings` was removed from crates.io for malicious code

This is part of an ongoing campaign to attempt to typosquat crates in an attempt to exfiltrate Polymarket credentials. The malicious crate had 1 version published on 2026-02-26 approximately 9 hours before removal and had no evidence of actual usage. The only crate depending on this crate was the...

hpke-rs (>=0.1.0-pre.1 <=0.1.0-pre.2), openmls (>=0.4.0-pre.1 <=0.4.0-pre.2) +2 more potentially affected by unknown CVE via hpke-rs-rust-crypto (=0.1.1)

hpke-rs-rust-crypto CARGO version =0.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on hpke-rs-rust-crypto and may be impacted: - hpke-rs =0.1.0-pre.1, =0.4.0-pre.1, =0.1.0, =0.3.0, =0.9.0 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-00...

PT-2026-6355

Details In the unique reclaim path of BytesMut::reserve, the condition rs if v capacity = new cap + offset uses an unchecked addition. When new cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual...

acme-compilers (>=0.2.2 <=0.2.4), acvm (>=0.23.0 <=0.26.1) +285 more potentially affected by unknown CVE via rkyv (>=0.1.1 <=0.7.45)

rkyv CARGO version =0.1.1, =0.2.2, =0.23.0, =0.23.0, =0.0.1, =0.2.0, =0.39.0, =0.23.0, =0.26.1 - cairn-import-geonames =0.0.2-alpha - cairn-import-oa =0.0.2-alpha - cairn-import-osm =0.0.2-alpha - cairn-import-wof =0.0.2-alpha and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-00...

actix-web-opentelemetry (>=0.2.0 <=0.17.0), atomic-server (>=0.32.1 <=0.34.0) +38 more potentially affected by unknown CVE via opentelemetry-jaeger (>=0.10.0 <=0.9.0)

opentelemetry-jaeger CARGO version =0.10.0, =0.2.0, =0.32.1, =0.2.1, =0.1.0, =0.4.0-prerelease1, =0.3.2, =0.2.0-rc-8, =0.2.0-rc-9, =0.2.0-rc-10, =0.2.0-rc, =0.1.0, =0.31.0, =0.1.0, =0.3.2, =0.5.1 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0123...

tandem_garble_interop (>=0.1.0 <=0.3.0) potentially affected by unknown CVE via tandem (>=0.1.0 <=0.3.0)

tandem CARGO version =0.1.0, =0.1.0, =0.3.0 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0117...

apple-opensource-downloader (=0.1.0), async_bagit (>=0.1.0 <=0.2.0) +11 more potentially affected by CVE-2025-62518 via tokio-tar (=0.3.1)

tokio-tar CARGO version =0.3.1 is affected by a known vulnerability. The following packages have a transitive dependency on tokio-tar and may be impacted: - apple-opensource-downloader =0.1.0 - asyncbagit =0.1.0, =0.1.8, =0.8.0, =0.2.0, =0.1.0, =0.2.5, =0.4.0, =0.6.0, =0.12.0, =0.1.0,...

Security update for gstreamer-plugins-rs

This update for gstreamer-plugins-rs fixes the following issues: Update crate shlex to 1.3.0: RUSTSEC-2024-0006: Fixed multiple issues involving quote API bsc1230028 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper...

Fedora 44 : python-nh3 / rust-ammonia (2025-06a8d5853b)

The remote Fedora 44 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2025-06a8d5853b advisory. Update the ammonia crate to version 4.1.2 and rebuild python-nh3 to apply fixes for RUSTSEC-2025-0071. Tenable has extracted the preceding description block...

pingora (>=0.1.0 <=0.5.0), pingora-cache (>=0.1.0 <=0.5.0) +4 more potentially affected by CVE-2025-8671 via pingora-core (>=0.1.1 <=0.5.0)

pingora-core CARGO version =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.5.0 - revoke-gateway =0.3.0 - static-files-module =0.1.0 Source cves: CVE-2025-8671 Source advisory: OSV:RUSTSEC-2025-0070...

archivefs (>=1.0.0 <=1.0.1), arcon_compiler (>=0.1.0 <=0.1.1) +81 more potentially affected by unknown CVE via daemonize (>=0.2.3 <=0.5.0)

daemonize CARGO version =0.2.3, =1.0.0, =0.1.0, =0.3.1, =0.2.0, =3.0.0, =0.1.0, =0.1.3, =0.0.1, =0.1.0, =0.1.2, =0.1.0, =0.0.1, =0.2.10 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0069...

drivesync (=0.1.0), geckopanda (>=0.1.0 <=0.2.0) +601 more potentially affected by unknown CVE via google-apis-common (>=4.0.1 <=6.0.4)

google-apis-common CARGO version =4.0.1, =0.1.0, =5.0.2+20230114, =5.0.2+20230123, =5.0.2+20230120, =5.0.2+20200708, =5.0.2+20230123, =5.0.2+20230123, =5.0.2+20210330, =5.0.4+20210330 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0066...

audio-video-metadata (>=0.1.0 <=0.1.7), fselect (>=0.3.2 <=0.8.11) +4 more potentially affected by unknown CVE via mp3-metadata (>=0.1.1 <=0.3.4)

mp3-metadata CARGO version =0.1.1, =0.1.0, =0.3.2, =0.1.2, =0.1.0, =0.2.2 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0027...

AskAI (=0.1.0), ISP-SDK (>=0.1.0 <=0.2.3) +5198 more potentially affected by unknown CVE via ring (>=0.13.5 <=0.16.20)

ring CARGO version =0.13.5, =0.1.0, =0.1.0, =0.2.0, =0.10.2, =0.1.0, =0.2.0-beta.4, =0.21.0-alpha.1, =0.1.1, =0.11.0, =0.0.1, =0.0.7-alpha.3, =0.0.7-alpha.2, =0.0.7-alpha.1, =0.0.7-alpha.3, =0.2.0-alpha.0 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0010...

datafu (>=0.0.6 <=0.0.7) potentially affected by unknown CVE via totally-safe-transmute (=0.0.3)

totally-safe-transmute CARGO version =0.0.3 is affected by a known vulnerability. The following packages have a transitive dependency on totally-safe-transmute and may be impacted: - datafu =0.0.6, =0.0.7 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0030...