CVE-2026-5223 — Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The — CVE Database · The Intelligence Room