{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-41082", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-16T17:32:39.584Z", "datePublished": "2026-04-16T17:32:40.068Z", "dateUpdated": "2026-04-21T09:32:52.152Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageURL": "pkg:opam/opam-format", "product": "opam", "vendor": "OCaml", "versions": [{"lessThan": "2.5.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-24", "description": "CWE-24 Path Traversal: '../filedir'", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T23:00:36.235Z"}, "references": [{"url": "https://github.com/ocaml/opam/releases/tag/2.5.1"}, {"url": "https://github.com/ocaml/opam/pull/6897"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T18:37:03.655616Z", "id": "CVE-2026-41082", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T18:37:08.983Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00021.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-21T09:32:52.152Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00021.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-21T09:32:52.152Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41082", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T18:37:03.655616Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T18:37:06.220Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OCaml", "product": "opam", "versions": [{"status": "affected", "version": "0", "lessThan": "2.5.1", "versionType": "semver"}], "packageURL": "pkg:opam/opam-format", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/ocaml/opam/releases/tag/2.5.1"}, {"url": "https://github.com/ocaml/opam/pull/6897"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-24", "description": "CWE-24 Path Traversal: '../filedir'"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T23:00:36.235Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41082", "state": "PUBLISHED", "dateUpdated": "2026-04-21T09:32:52.152Z", "dateReserved": "2026-04-16T17:32:39.584Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-16T17:32:40.068Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory."}], "id": "CVE-2026-41082", "lastModified": "2026-04-21T10:16:31.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 4.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-16T18:16:45.980", "references": [{"source": "cve@mitre.org", "url": "https://github.com/ocaml/opam/pull/6897"}, {"source": "cve@mitre.org", "url": "https://github.com/ocaml/opam/releases/tag/2.5.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00021.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-24"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "ocaml-opam: path traversal via the .install field", "id": "2459003", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459003"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "status": "draft"}, "cwe": "CWE-24", "details": ["A flaw was found in OCaml opam. A malicious package containing a crafted .install field with directory traversal sequences allows an attacker to write files to arbitrary locations, potentially overwriting system files and causing arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, do not install packages from untrusted sources and manually inspect the .install field in the package source to make sure it does not contain malicious paths."}, "name": "CVE-2026-41082", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "ocaml-dune", "product_name": "Red Hat Enterprise Linux 10"}], "public_date": "2026-04-16T17:32:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41082\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41082\nhttps://github.com/ocaml/opam/pull/6897\nhttps://github.com/ocaml/opam/releases/tag/2.5.1"], "statement": "To exploit this flaw, an attacker must convince a user to install a malicious package with a specially crafted .install field. Due to this reason, this vulnerability has been rated with an important severity.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.1)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "opam", "source": "cna", "vendor": "OCaml"}, "product": "ocaml", "vendor": "ocaml"}], "analysis": {"en": {"generated_at": "2026-04-17T02:54:30.052129+00:00", "value": {"mitigation_remediation": ["Apply the latest opam release 2.5.1 or newer, which removes the directory traversal flaw.", "Limit opam to trusted package sources or use opam's \"--trusted\" flag when installing very carefully vetted packages.", "Implement file system or opam environment restrictions (e.g., chroot or sandbox) to isolate installation directories when working with untrusted packages."], "summary": {"action": "Immediate Patch", "impact": "Path traversal enabling arbitrary file modification"}, "threat_synthesis": {"affected_systems": "The affected product is OCaml's opam, with all releases preceding 2.5.1 impacted. Packages that contain a malicious \".install\" field within these versions pose the risk.\n", "description_and_impact": "In prior to version 2.5.1 of OCaml's opam package manager, the installer script field named \".install\" allows a package author to specify a destination path for an installed file. A malicious package can insert the string \"../\" into this path, causing opam to write the file outside the intended package directory and potentially into system\u2011wide locations. The effect is unauthorized modification of files that may lead to privilege escalation, configuration tampering, or denial of service if critical files are overwritten.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.3, indicating high severity, and is not currently listed in the CISA Known Exploited Vulnerabilities catalog. EPSS data is not available, but the lack of availability does not mitigate the inherent risk. The likely attack vector is misuse of a malicious package either through a local repository or by convincing a user to install a compromised package. Successful exploitation requires the ability to supply or run an opam install command with the tainted package."}}}}, "created": "2026-04-17T03:00:08.455733+00:00", "title": "Path Traversal in opam .install Files Enables Arbitrary File Modification", "updated": "2026-04-17T08:00:10.885162+00:00", "vendors": ["ocaml", "ocaml$PRODUCT$ocaml"]}