CVE-2026-35363: uutils coreutils has a Path Traversal issue

April 22, 2026 (updated April 30, 2026)

A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading ‘Invalid input’ error, which may cause users to miss the critical window for data recovery.

References

github.com/advisories/GHSA-vchc-9ggh-3236
github.com/uutils/coreutils
github.com/uutils/coreutils/issues/9749
nvd.nist.gov/vuln/detail/CVE-2026-35363

Code Behaviors & Features

Detect and mitigate CVE-2026-35363 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →