CVE-2026-41082
7.3 HIGHIn OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory
Published: 2026-04-16 · Last updated: 2026-06-16
Severity and scoring
- CVSS
- 7.3 HIGH
- Vector
- CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
- CWE
- CWE-24
Description
In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-41082
- [Other]https://github.com/ocaml/opam/pull/6897
- [Other]https://github.com/ocaml/opam/releases/tag/2.5.1
- [Other]https://osv.dev/vulnerability/OSEC-2026-03
- [Other]https://lists.debian.org/debian-lts-announce/2026/04/msg00021.html
- [Other]https://osv.dev/vulnerability/OSEC-2026-03
Related CVEs
Same CWE
- CVE-2026-49103 — Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component
- CVE-2026-22810 — Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks (8.2 HIGH)