Cargo

This hub aggregates every CVE we track for Cargo, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Cargo.

• CVE-2026-5223Crates in third party registries can override the cached source of other crates5.3May 25, 2026
• CVE-2026-5222Cargo can be coerced to share credentials between registries6.5May 25, 2026
• CVE-2026-39837Stored XSS through the dynamic table format in Cargo5.4Apr 7, 2026
• CVE-2026-39841Stored XSS through list fields on Cargo's page values and Special:CargoTables6.1Apr 7, 2026
• CVE-2026-39840CSS injection in multiple Cargo display formats6.1Apr 7, 2026
• CVE-2026-39839Stored XSS through URLs in Cargo's map format6.1Apr 7, 2026
• CVE-2024-47847Various XSSes found in Cargo6.1Oct 5, 2024
• CVE-2024-47846Special:DeleteCargoTable and Special:SwitchCargoTable have no CSRF protection8.8Oct 5, 2024
• CVE-2024-47849Backticks can allow the usage of not-allowed SQL functions9.8Oct 5, 2024
• CVE-2023-40030Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports6.1Aug 24, 2023
• CVE-2023-38497Cargo not respecting umask when extracting crate archives7.9Aug 4, 2023
• CVE-2022-46176Cargo did not verify SSH host keys5.3Jan 11, 2023
• CVE-2022-36113Extracting malicious crates can corrupt arbitrary files4.6Sep 14, 2022
• CVE-2022-36114Extracting malicious crates can fill the file system4.8Sep 14, 2022
• CVE-2019-16760Cargo prior to Rust 1.26.0 may download the wrong dependency4.6Sep 30, 2019