GHSA-vchc-9ggh-3236

Source

https://github.com/advisories/GHSA-vchc-9ggh-3236

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-vchc-9ggh-3236/GHSA-vchc-9ggh-3236.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vchc-9ggh-3236

Aliases

CVE-2026-35363

Related

CGA-fx2x-7x9q-pxh9

Published

2026-04-22T18:31:45Z

Modified

2026-06-02T18:29:39.668322753Z

Severity

5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L CVSS Calculator

Summary

uutils coreutils has a Path Traversal issue

Details

A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery.

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-30T17:30:54Z",
    "nvd_published_at": "2026-04-22T17:16:39Z",
    "severity": "MODERATE"
}

References

Affected packages

crates.io / coreutils

Package

Name: coreutils; View open source insights on deps.dev
Purl: pkg:cargo/coreutils

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.8.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-vchc-9ggh-3236/GHSA-vchc-9ggh-3236.json"