Skip to main content

Gleam

1 CVEs product

Monthly

CVE-2026-32146 HIGH PATCH This Week

Path traversal in Gleam compiler versions 1.9.0-rc1 through 1.15.3 and 1.16.0-rc1 allows arbitrary file system modification when resolving git dependencies, enabling attackers to delete and overwrite directories outside the intended dependency folder via malicious dependency names containing relative or absolute paths. A user must invoke dependency download (e.g., gleam deps download) for exploitation; attackers can leverage this to cause data loss or achieve code execution by overwriting git hooks or shell configuration files. Vendor-released patches are available.

Path Traversal RCE Gleam
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Path traversal in Gleam compiler versions 1.9.0-rc1 through 1.15.3 and 1.16.0-rc1 allows arbitrary file system modification when resolving git dependencies, enabling attackers to delete and overwrite directories outside the intended dependency folder via malicious dependency names containing relative or absolute paths. A user must invoke dependency download (e.g., gleam deps download) for exploitation; attackers can leverage this to cause data loss or achieve code execution by overwriting git hooks or shell configuration files. Vendor-released patches are available.

Path Traversal RCE Gleam
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy