CVE-2026-35363

MEDIUM5.6EPSS 0.01%

uutils coreutils has a Path Traversal issue

發布日:2026/4/22修改日:2026/6/2

也稱為:GHSA-vchc-9ggh-3236CGA-fx2x-7x9q-pxh9

描述

A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery.

受影響套件(2)

crates.io/coreutilsfrom 0, <= 0.8.0
Debian/rust-coreutilsfrom 0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-35363
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-35363
PATCHhttps://github.com/uutils/coreutils
WEBhttps://github.com/uutils/coreutils/issues/9749