CVE-2026-43965— Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion
Affected Version Matrix 13
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Gleam | Gleam | 0.18.0-rc1< 1.17.0 | affected |
0.18.0-rc1< 1.17.0 | affected | ||
ed7aec0484f10d60978b63788c8a6497590855ab< 690ca069817bee5f77a28fc3e360627c1da19291 | affected | ||
v0.18.0-rc1-elixir< v1.17.0-elixir | affected | ||
v0.18.0-rc1-erlang< v1.17.0-erlang | affected | ||
v0.18.0-rc1-node< v1.17.0-node | affected | ||
v0.18.0-rc1-node-slim< v1.17.0-node-slim | affected | ||
v0.18.0-rc1-elixir-slim< v1.17.0-elixir-slim | affected | ||
| … +5 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-43965
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion
Source: NVD (National Vulnerability Database)
Vulnerability Description
Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content. Package keys read from build/packages/packages.toml by LocalPackages::read_from_disc are passed without validation to paths.build_packages_package(), which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to fs::delete_directory (which calls remove_dir_all). No check is performed to ensure the path remains within the intended build/packages/ directory. Both absolute paths and relative traversal sequences (e.g. ../) are accepted as package keys, allowing deletion of arbitrary directories. An attacker who can cause a victim to run gleam deps download on a project containing a malicious build/packages/packages.toml (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim's system to be recursively deleted. This issue affects Gleam from 0.18.0-rc1 until 1.17.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-43965
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-43965
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-43965 (1)
Vendor Advisories for CVE-2026-43965 (3)
Same Patch Batch · Gleam · 2026-06-02 · 3 CVEs total
| CVE-2026-42795 | Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root | |
| CVE-2026-32685 | Path Traversal in gleam docs build via documentation.pages Allows Arbitrary File Read and |
IV. Related Vulnerabilities
Same weakness: CWE-22
- CVE-2026-49144
BrowserStack Runner 0.9.5 Path Traversal via _default HTTP H - CVE-2026-32685
Path Traversal in gleam docs build via documentation.pages A - CVE-2026-49136
Banana Slides 0.4.0 Path Traversal via generate_image() in a - CVE-2026-43624
F5-TTS 1.1.20 Path Traversal via finetune_gradio.py create_d - CVE-2026-10278
ishayoyo excel-mcp read_file/write_file index.ts path traver
V. Comments for CVE-2026-43965
No comments yet