VYPR

Gleam

by Gleam Lang

Source repositories

CVEs (4)

  • CVE-2026-32146HigApr 11, 2026
    risk 0.44cvss 7.8epss 0.00

    Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient…

  • CVE-2026-43965MedJun 2, 2026
    risk 0.29cvss epss 0.00

    Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content. Package keys read from build/packages/packages.toml by LocalPackages::read_from_disc are passed without validation to…

  • CVE-2026-42795MedJun 2, 2026
    risk 0.26cvss epss 0.00

    Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball. The file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when…

  • CVE-2026-32685MedJun 2, 2026
    risk 0.23cvss epss 0.00

    Path traversal vulnerability in Gleam's handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory. The documentation.pages entries from gleam.toml are incorporated into filesystem paths without…