unix-symbolic-link-(symlink)-following
CVE-2026-5223
Cargo (Rust)
CVSS Details
CVSS Score
Medium
Vector String
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
Weakness
CWE-61 UNIX Symbolic Link (Symlink) Following
Description
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io are not affected, as crates.io forbids uploading crates containing any symlink.
Disclosure Date
Public Disclosure
May 25, 2026