πŸ” CVE Alert

CVE-2026-5223

UNKNOWN 0.0

Crates in third party registries can override the cached source of other crates

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
14th

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry.Β The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.

CWE CWE-61
Vendor rust project
Product cargo
Published May 25, 2026
Last Updated May 27, 2026
Stay Ahead of the Next One

Get instant alerts for rust project cargo

Be the first to know when new unknown vulnerabilities affecting rust project cargo are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

Rust Project / Cargo
1.0.0 < 1.96.0

References

NVD β†— CVE.org β†— EPSS Data β†—
groups.google.com: https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8 blog.rust-lang.org: https://blog.rust-lang.org/2026/05/25/cve-2026-5223/ github.com: https://github.com/rust-lang/cargo/pull/17031