VYPR
Medium severity6.5NVD Advisory· Published May 25, 2026· Updated Jun 1, 2026

CVE-2026-5222

CVE-2026-5222

Description

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is low, due to the extremely niche requirements needed to achieve the attack.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Rust Lang/cargo2 versions
    cpe:2.3:a:rust-lang:cargo:*:*:*:*:*:rust:*:*+ 1 more
    • cpe:2.3:a:rust-lang:cargo:*:*:*:*:*:rust:*:*range: >=1.68.0,<1.96.0
    • (no CPE)range: >=1.68, <=1.96

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.