CVE-2026-42795

MEDIUM EPSS 3.1%
Published Jun 2, 20264w ago · Modified Jun 17, 20261w ago
5.1 CVSS 4.0
Medium
Find Similar
Published Jun 2, 2026 4w ago
Last Modified Jun 17, 2026 1w ago

Description

Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball. The file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package. An attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact. This issue affects Gleam from 0.10.0-rc1 until 1.17.0.

CVSS Details

Base Score
5.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
3.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-59

References 4

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-42795.html
  • github.com https://github.com/gleam-lang/gleam/commit/6435a5528b9ae0449e2f32be579641ec485f6866
  • github.com https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc
  • osv.dev https://osv.dev/vulnerability/EEF-CVE-2026-42795

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.