Path Traversal Vulnerability in Gleam Documentation Handling
CVE-2026-32685

4.6MEDIUM

Key Information:

Vendor: Gleam
Status: Gleam
Vendor: CVE Published:; 2 June 2026

What is CVE-2026-32685?

A path traversal vulnerability exists in Gleam's custom documentation pages management, enabling unauthorized file read and write operations. The issue arises from insufficient validation in the incorporation of documentation.pages entries from gleam.toml into filesystem paths. Attackers can exploit this flaw by persuading users to run the 'gleam docs build' command on untrusted projects or with untrusted gleam.toml content, potentially leading to the inclusion of sensitive local files in generated documentation. This can allow harmful files to be written outside the designated output directory, posing significant security risks.

Affected Version(s)

Gleam 1.16.0 < 1.17.0

Gleam 61ed8deb6572b5591ad17d6302c1a38607522f16 < 81570611906b6b0039c948037094d09a68700f3a

References

https://github.com/gleam-lang/gleam/security/advisories/G...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-32685.html

https://osv.dev/vulnerability/EEF-CVE-2026-32685

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

evipepota

Louis Pilfold

Jonatan Männchen / EEF

CVE-2026-32685 Data

JSON