Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/rustc@1.95.0%2Bdfsg1-1
purl pkg:deb/debian/rustc@1.95.0%2Bdfsg1-1
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-6g9h-a8ff-e3gn Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink. CVE-2026-5223
VCID-84g5-ws9p-e7fx Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack. CVE-2026-5222

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-29T23:09:48.489177+00:00 Debian Importer Fixing VCID-84g5-ws9p-e7fx https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-05-29T22:51:38.004956+00:00 Debian Importer Fixing VCID-6g9h-a8ff-e3gn https://security-tracker.debian.org/tracker/data/json 38.6.0