Vulnerability in Gleam

CVE-2026-42795

Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball. The file collection helpers (gleam_files, native_files, private_files) in compiler-cli/sr…

EPSS: 0.000 (2.6th percentile) — read the EPSS interpretation.

Affected products

Gleam — versions 0.10.0-rc1, c82a2d83bd0c06cafdc196820deb3f89a9b3ff7c, v0.10.0-rc1-elixir

Weakness classification (CWE)

CWE-59 — Improper Link Resolution Before File Access

References

6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (patch)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related, vendor-advisory)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related)