Back to search
CVE-2026-5223
Published: May 25, 2026
Modified: May 27, 2026
PUBLISHED
Description
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.
| Vendor | Product | Versions |
|---|---|---|
Rust Project | Cargo | affected 1.0.0 - < 1.96.0 |
Weaknesses (CWE)
References
https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8
vendor-advisory
mailing-list
https://blog.rust-lang.org/2026/05/25/cve-2026-5223/
vendor-advisory
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now