Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-s1us-54av-gfhb
Vulnerability ID VCID-s1us-54av-gfhb
Aliases CVE-2026-35363
GHSA-vchc-9ggh-3236
Summary A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
System Score Found at
epss 0.0001 https://api.first.org/data/v1/epss?cve=CVE-2026-35363
epss 0.0001 https://api.first.org/data/v1/epss?cve=CVE-2026-35363
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-35363
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-vchc-9ggh-3236
cvssv3.1 5.6 https://github.com/uutils/coreutils
generic_textual MODERATE https://github.com/uutils/coreutils
cvssv3.1 5.6 https://github.com/uutils/coreutils/issues/9749
generic_textual MODERATE https://github.com/uutils/coreutils/issues/9749
ssvc Track https://github.com/uutils/coreutils/issues/9749
cvssv3.1 5.6 https://nvd.nist.gov/vuln/detail/CVE-2026-35363
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-35363
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-35363
https://github.com/uutils/coreutils
https://nvd.nist.gov/vuln/detail/CVE-2026-35363
1134876 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134876
9749 https://github.com/uutils/coreutils/issues/9749
GHSA-vchc-9ggh-3236 https://github.com/advisories/GHSA-vchc-9ggh-3236
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L Found at https://github.com/uutils/coreutils
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L Found at https://github.com/uutils/coreutils/issues/9749
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:24:03Z/ Found at https://github.com/uutils/coreutils/issues/9749
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2026-35363
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.01226
EPSS Score 0.0001
Published At June 12, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:45:04.732251+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/35xxx/CVE-2026-35363.json 38.6.0