PT-2026-43025 · Rust · Cargo

Christos Papakonstantinou

·

Published

2026-05-25

·

Updated

2026-06-26

·

CVE-2026-5223

CVSS v4.0

6.5

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
Name of the Vulnerable Software and Affected Versions Cargo versions prior to 1.96.0
Description Cargo incorrectly handled symbolic links (symlinks)—which are files that point to another file or directory—inside crate tarballs downloaded from third-party registries. This allows a malicious crate to override the source code of another crate originating from the same registry.
Recommendations Update to version 1.96.0.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-08152
CVE-2026-5223
GHSA-JQ42-7MFV-HM57

Affected Products

Cargo