CVE-2026-5222
EUVD-2026-3165425.05.2026, 10:16
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| rust-lang | cargo | 1.68.0 ≤ 𝑥 < 1.96.0 |
𝑥
= Vulnerable software versions
Amazon Linux Releases