Vendor
Ocaml
Products
3
CVEs
6
Across products
9
Status
Private
Products
3- 5 CVEs
- 3 CVEs
- 1 CVE
Recent CVEs
6| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-9772 | Cri | 0.64 | 9.8 | 0.01 | Jun 23, 2017 | Insufficient sanitisation in the OCaml compiler versions 4.04.0 and 4.04.1 allows external code to be executed with raised privilege in binaries marked as setuid, by setting the CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, or CAML_BYTE_CPLUGINS environment variable. | |
| CVE-2017-9779 | Hig | 0.51 | 7.8 | 0.00 | Sep 7, 2017 | OCaml compiler allows attackers to have unspecified impact via unknown vectors, a similar issue to CVE-2017-9772 "but with much less impact." | |
| CVE-2026-41082 | Hig | 0.47 | 7.3 | 0.00 | Apr 16, 2026 | In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory. | |
| CVE-2026-34353 | Med | 0.38 | 5.9 | 0.00 | Mar 27, 2026 | In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, and resultant reading of arbitrary memory, when untrusted data is processed. | |
| CVE-2026-28364 | 0.00 | — | 0.00 | Feb 27, 2026 | In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data. | ||
| CVE-2009-2943 | 0.00 | — | 0.00 | Oct 22, 2009 | The postgresql-ocaml bindings 1.5.4, 1.7.0, and 1.12.1 for PostgreSQL libpq do not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings. |