Rust-lang Cargo
7 CVEs affecting Rust-lang Cargo. Latest disclosed: 2026-05-25. Critical: 0, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-38497 | High | 7.8 | 2023-08-04 | Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not res… |
CVE-2026-5222 | Medium | 6.5 | 2026-05-25 | Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple r… |
CVE-2023-40030 | Medium | 6.1 | 2023-08-24 | Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names whe… |
CVE-2026-5223 | Medium | 5.3 | 2026-05-25 | Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of a… |
CVE-2022-46176 | Medium | 5.3 | 2023-01-11 | Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and depen… |
CVE-2022-36114 | Medium | 4.8 | 2022-09-14 | Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives… |
CVE-2022-36113 | Medium | 4.6 | 2022-09-14 | Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, mak… |