CVE-2026-47261

HIGH7.5

WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction

Published: 5/21/2026Modified: 5/22/2026

Also known as:GHSA-2r75-cxrj-cmphRUSTSEC-2026-0149

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph For more information see the GitHub-hosted security advisory.

Affected packages (1)

crates.io/wasmtime-wasi>= 0.0.0-0, < 24.0.9, >= 25.0.0, < 36.0.10, >= 37.0.0, < 44.0.2, >= 45.0.0, < 45.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (3)

ADVISORYhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph
ADVISORYhttps://rustsec.org/advisories/RUSTSEC-2026-0149.html
PATCHhttps://crates.io/crates/wasmtime-wasi