VYPR
Medium severity5.3NVD Advisory· Published May 25, 2026· Updated Jun 1, 2026

CVE-2026-5223

CVE-2026-5223

Description

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io are not affected, as crates.io forbids uploading crates containing any symlink.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Rust Lang/cargo2 versions
    cpe:2.3:a:rust-lang:cargo:*:*:*:*:*:rust:*:*+ 1 more
    • cpe:2.3:a:rust-lang:cargo:*:*:*:*:*:rust:*:*range: <1.96.0
    • (no CPE)

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.