Every CVE whose affected-product data names Rust-lang Cargo, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (6)
CVE-2023-38497 — CVSS 7.9 (high): Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to…
CVE-2026-5222 — CVSS 6.5 (medium): Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting…
CVE-2022-46176 — CVSS 5.3 (medium): Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when…
CVE-2026-5223 — CVSS 5.3 (medium): Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override…
CVE-2022-36114 — CVSS 4.8 (medium): Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from…
CVE-2022-36113 — CVSS 4.6 (medium): Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo…