Path Traversal Vulnerability in uutils coreutils rm Utility
CVE-2026-35363

5.6MEDIUM

Key Information:

Vendor: Uutils
Status: Coreutils
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-35363?

A vulnerability in the rm utility of uutils coreutils allows for bypassing safeguards designed to protect the current directory. Although the utility refuses to delete directory references like '.' and '..', it fails to account for equivalent paths with trailing slashes, such as './' or './//'. This oversight can lead to unintended consequences; for instance, executing 'rm -rf ./' may result in the entire contents of the current directory being deleted silently. This operation can further obscure the data loss by issuing a deceptive 'Invalid input' error, which might prevent users from taking timely action to recover their deleted data.

References

https://github.com/uutils/coreutils/issues/9749

issue-tracking

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Zellic

CVE-2026-35363 Data

JSON

Uutils

What is CVE-2026-35363?

References

CVSS V3.1

Timeline

Credit