VYPR

cargo

by Rust Lang

Source repositories

CVEs (2)

  • CVE-2026-5222MedMay 25, 2026
    risk 0.35cvss 6.5epss 0.00

    Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry…

  • CVE-2026-5223MedMay 25, 2026
    risk 0.27cvss 5.3epss 0.00

    Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party…