cvedb.io
CVE-2026-32146
HIGH · CVSS 7.8
EPSS exploitation probability: 0%
Published 2026-04-11T14:16:03.640 · Last modified 2026-06-30T03:18:29.037

Summary

Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation. This vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies

Affected products

lpil — gleam

Does this affect you?

Add your gear to cvedb and we'll alert you only when lpil ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.