CVE-2026-5222

Published May 25, 2026 Modified May 26, 2026 CWE-647

Description

Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.

EPSS — Exploit Prediction

0.0004
Probability of exploitation
0.12%
Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-647 CWE-647

References

Frequently Asked Questions

What is CVE-2026-5222? +
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.
How do I check if I'm vulnerable to CVE-2026-5222? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-64500 7.3

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component …
CVE-2025-66202 6.5

Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker …
CVE-2025-47241 4.0

In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the …
CVE-2025-43916 3.4

Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-5222 — free, no signup required.

Start Free Scan