GHSA-m2pg-c7m6-77pj

Source

https://github.com/advisories/GHSA-m2pg-c7m6-77pj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m2pg-c7m6-77pj/GHSA-m2pg-c7m6-77pj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m2pg-c7m6-77pj

Aliases

CVE-2026-35380

Published

2026-04-22T18:31:46Z

Modified

2026-05-05T16:09:39.142668Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

uutils coreutils has an Improper Input Validation Issue in its cut Utility

Details

A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' (two single quotes) as an empty delimiter. The implementation mistakenly maps this string to the NUL character for both the -d (delimiter) and --output-delimiter options. This vulnerability can lead to silent data corruption or logic errors in automated scripts and data pipelines that process strings containing these characters, as the utility may unintentionally split or join data on NUL bytes rather than the intended literal characters.

Database specific

{
    "nvd_published_at": "2026-04-22T17:16:43Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-30T18:06:30Z"
}

References

Affected packages

crates.io / coreutils

Package

Name: coreutils; View open source insights on deps.dev
Purl: pkg:cargo/coreutils

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.8.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m2pg-c7m6-77pj/GHSA-m2pg-c7m6-77pj.json"