Skip to main content

Cargo

8 CVEs product

Monthly

CVE-2026-5223 Cargo MEDIUM PATCH GHSA This Month

Tarball unpacking in Rust's Cargo package manager fails to reject symlinks within downloaded crate archives, enabling a malicious crate hosted on a third-party registry to overwrite source files belonging to other crates in the victim's local registry cache. The attack requires no privileges on the attacker side (PR:N per CVSS 4.0) but passive user interaction (UI:P) - specifically, a developer running any Cargo command that triggers crate download and extraction. While crates.io users are explicitly unaffected (that registry enforces a server-side symlink prohibition), users of any third-party Cargo registry are at risk of supply chain source substitution; no public exploit has been identified at time of analysis, and EPSS is very low at 0.04%.

Information Disclosure Cargo
NVD GitHub
CVSS 4.0
6.5
EPSS
0.0%
CVE-2026-5222 Cargo LOW PATCH GHSA Monitor

Credential leakage in Cargo's sparse index registry URL normalization affects all Cargo releases from 1.68 through 1.96. The flaw caused Cargo to incorrectly apply git-registry canonicalization rules - specifically, stripping `.git` suffixes and lowercasing GitHub paths - to sparse index protocol URLs (prefixed with `sparse+`). This allowed two distinct sparse registry URLs that differed only by a `.git` suffix to resolve to the same canonical identifier, meaning credentials configured for one registry could be transmitted to a different, attacker-controlled registry on the same domain. No public exploit identified at time of analysis; EPSS is 0.04% (12th percentile), consistent with the vendor-assessed low severity and SSVC exploitation status of none.

Information Disclosure Cargo
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2024-47849 HIGH POC PATCH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows SQL Injection.6.X before 3.6.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Cargo
NVD
CVSS 4.0
8.8
EPSS
0.5%
CVE-2024-47847 PHP MEDIUM POC PATCH This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross-Site Scripting (XSS).6.X before. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Cargo
NVD
CVSS 4.0
6.9
EPSS
0.4%
CVE-2024-47846 MEDIUM POC PATCH This Month

Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.6.X before 3.6.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Cargo
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2023-38497 Cargo HIGH PATCH This Week

Cargo downloads the Rust project’s dependencies and compiles the project. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.

Information Disclosure Cargo Fedora
NVD GitHub
CVSS 3.1
7.3
EPSS
0.8%
CVE-2022-36114 Cargo MEDIUM PATCH This Month

Cargo is a package manager for the rust programming language. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

RCE Denial Of Service Cargo
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-36113 Cargo HIGH PATCH This Week

Cargo is a package manager for the rust programming language. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

RCE Path Traversal Cargo
NVD GitHub
CVSS 3.1
8.1
EPSS
1.0%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Tarball unpacking in Rust's Cargo package manager fails to reject symlinks within downloaded crate archives, enabling a malicious crate hosted on a third-party registry to overwrite source files belonging to other crates in the victim's local registry cache. The attack requires no privileges on the attacker side (PR:N per CVSS 4.0) but passive user interaction (UI:P) - specifically, a developer running any Cargo command that triggers crate download and extraction. While crates.io users are explicitly unaffected (that registry enforces a server-side symlink prohibition), users of any third-party Cargo registry are at risk of supply chain source substitution; no public exploit has been identified at time of analysis, and EPSS is very low at 0.04%.

Information Disclosure Cargo
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Credential leakage in Cargo's sparse index registry URL normalization affects all Cargo releases from 1.68 through 1.96. The flaw caused Cargo to incorrectly apply git-registry canonicalization rules - specifically, stripping `.git` suffixes and lowercasing GitHub paths - to sparse index protocol URLs (prefixed with `sparse+`). This allowed two distinct sparse registry URLs that differed only by a `.git` suffix to resolve to the same canonical identifier, meaning credentials configured for one registry could be transmitted to a different, attacker-controlled registry on the same domain. No public exploit identified at time of analysis; EPSS is 0.04% (12th percentile), consistent with the vendor-assessed low severity and SSVC exploitation status of none.

Information Disclosure Cargo
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows SQL Injection.6.X before 3.6.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Cargo
NVD
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross-Site Scripting (XSS).6.X before. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Cargo
NVD
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.6.X before 3.6.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Cargo
NVD
EPSS 1% CVSS 7.3
HIGH PATCH This Week

Cargo downloads the Rust project’s dependencies and compiles the project. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.

Information Disclosure Cargo Fedora
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Cargo is a package manager for the rust programming language. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

RCE Denial Of Service Cargo
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Cargo is a package manager for the rust programming language. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

RCE Path Traversal Cargo
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy