CVE-2026-35363

MEDIUM5.6EPSS 0.01%

uutils coreutils has a Path Traversal issue

Published: 4/22/2026Modified: 6/2/2026

Also known as:GHSA-vchc-9ggh-3236CGA-fx2x-7x9q-pxh9

Description

A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery.

Affected packages (2)

crates.io/coreutilsfrom 0, <= 0.8.0
Debian/rust-coreutilsfrom 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-35363
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-35363
PATCHhttps://github.com/uutils/coreutils
WEBhttps://github.com/uutils/coreutils/issues/9749