Medium
CVE-2026-43965
Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content. Package keys read from build/packages/packages.t…
Tag: Gleam
All CVEs associated with "Gleam". Page 1/1 • 9 CVEs.
About “Gleam”
A curated feed of “Gleam”-related CVEs appears below. We currently track 9 CVEs for this tag (all time). In the last 365 days, 9 were published. Average CVSS is 6.2 (all time; 6.2 over 365d), and 44% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-59 - Improper Link Resolution Before File Access ('Link Following'), CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting').
In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
Support & lifecycle: gleam
This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.
| Cycle | Release | Latest | EOL | LTS |
|---|---|---|---|---|
| 1.16 | 1.16.0 | - | ||
| 1.15 | 1.15.4 | Expired | ||
| 1.14 | 1.14.0 | Expired | ||
| 1.13 | 1.13.0 | Expired | ||
| 1.12 | 1.12.0 | Expired | ||
| 1.11 | 1.11.1 | Expired | ||
| 1.10 | 1.10.0 | Expired | ||
| 1.9 | 1.9.1 | Expired | ||
| 1.8 | 1.8.1 | Expired | ||
| 1.7 | 1.7.0 | Expired | ||
| 1.6 | 1.6.3 | Expired | ||
| 1.5 | 1.5.1 | Expired | ||
| 1.4 | 1.4.1 | Expired | ||
| 1.3 | 1.3.2 | Expired | ||
| 1.2 | 1.2.1 | Expired | ||
| 1.1 | 1.1.1 | Expired | ||
| 1.0 | 1.0.0 | Expired |
Maintained Soon (≤ 180 days) Expired
Subscribe lifecycle: RSS · RSS (expired) · ICS
Subscribe CVEs: RSS for “Gleam” · RSS (High+Critical only)
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2026-06-02
Medium
CVE-2026-42795
Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball. The file collection helpers (gleam_files, native_…
Medium
CVE-2026-32685
Path traversal vulnerability in Gleam's handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory. The documentation.pages…
2026-04-11
High
CVE-2026-32146
Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and…
2026-04-02
Medium
CVE-2026-34715
ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without vali…
High
CVE-2026-32145
Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing. The multipart_body function bypasses configured max_…
2026-03-20
Medium
CVE-2026-32881
ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling m…
High
CVE-2026-32873
ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trai…
2026-03-10
High
CVE-2026-28807
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.serve_static f…