crates.io

Top products

The 15 most recently published vulnerabilities affecting crates.io.

• CVE-2026-32314Yamux remote Panic via malformed Data frame with SYN set and len = 2621457.5Mar 13, 2026
• CVE-2026-31814Yamux remote Panic via malformed WindowUpdate credit7.5Mar 13, 2026
• CVE-2026-32322soroban-sdk: `Fr` scalar field equality comparison bypasses modular reduction5.3Mar 12, 2026
• CVE-2026-32260Command Injection via incomplete shell metacharacter blocklist in node:child_process (bypass of CVE-2026-27190 fix)8.1Mar 12, 2026
• CVE-2026-32232ZeptoClaw: Path boundary checks bypass via symlink, TOCTOU, and hardlink9.8Mar 12, 2026
• CVE-2026-32231ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data8.2Mar 12, 2026
• CVE-2026-29795stellar-xdr: `StringM::from_str` bypasses max length validation4.0Mar 6, 2026
• CVE-2026-27898Vaultwarden: Unauthorized Access via Partial Update API on Another User’s Cipher5.4Mar 4, 2026
• CVE-2026-27803Vaultwarden: Collection Management Operations Allowed Without `manage` Verification for Manager Role8.3Mar 4, 2026
• CVE-2026-27802Vaultwarden: Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager8.3Mar 4, 2026
• CVE-2026-21882theshit's Improper Privilege Dropping Allows Local Privilege Escalation via Command Re-execution8.4Mar 2, 2026
• CVE-2025-13327Uv: uv: specially crafted zip archives lead to arbitrary code execution due to parsing differentials6.3Feb 27, 2026
• CVE-2026-27822Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover9.0Feb 25, 2026
• CVE-2026-27607RustFS's Missing Post Policy Validation leads to Arbitrary Object Write8.1Feb 25, 2026
• CVE-2026-27572Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance7.5Feb 24, 2026