CVE-2026-42795— Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root
Possible ATT&CK Techniques 1AI
T1565.001 · Stored Data ManipulationAffected Version Matrix 13
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Gleam | Gleam | 0.10.0-rc1< 1.17.0 | affected |
0.10.0-rc1< 1.17.0 | affected | ||
c82a2d83bd0c06cafdc196820deb3f89a9b3ff7c< 6435a5528b9ae0449e2f32be579641ec485f6866 | affected | ||
v0.10.0-rc1-elixir< v1.17.0-elixir | affected | ||
v0.10.0-rc1-erlang< v1.17.0-erlang | affected | ||
v0.10.0-rc1-node< v1.17.0-node | affected | ||
v0.10.0-rc1-node-slim< v1.17.0-node-slim | affected | ||
v0.10.0-rc1-elixir-slim< v1.17.0-elixir-slim | affected | ||
| … +5 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42795
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root
Source: NVD (National Vulnerability Database)
Vulnerability Description
Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball. The file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package. An attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact. This issue affects Gleam from 0.10.0-rc1 until 1.17.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在文件访问前对链接解析不恰当(链接跟随)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-42795
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42795
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-42795 (1)
Vendor Advisories for CVE-2026-42795 (3)
Same Patch Batch · Gleam · 2026-06-02 · 3 CVEs total
| CVE-2026-43965 | Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion | |
| CVE-2026-32685 | Path Traversal in gleam docs build via documentation.pages Allows Arbitrary File Read and |
IV. Related Vulnerabilities
Same weakness: CWE-59
- CVE-2026-40861
Apache Airflow: Arbitrary File Read via Log Symlink followin - CVE-2026-6892
Canon CUPS Printer Driver 安全漏洞 - CVE-2026-6891
Canon My Image Garden 安全漏洞 - CVE-2026-45403
AnythingLLM: filesystem-copy-file follows nested symlinks an - CVE-2026-44881
Portainer: Arbitrary File Read via Git Symlink Injection in
V. Comments for CVE-2026-42795
No comments yet