HSEC-2026-0006

See a problem?

Import Source

https://github.com/haskell/security-advisories/blob/generated/osv-export/2026/HSEC-2026-0006.json

JSON Data

https://api.test.osv.dev/v1/vulns/HSEC-2026-0006

Published

2026-04-08T14:23:27Z

Modified

2026-04-08T14:31:58.862411Z

Summary

Cabal deletes project source files during configure

Details

Cabal deletes project source files during configure

The checkDuplicateHeaders function in Distribution.Simple.Configure removes header files from the source directory when a header with the same name exists in both the build directory and the source directory.

This behavior was introduced in commit 3a9830b to resolve header precedence issues, as C compilers prefer relative includes over -I search paths. The workaround uses removeFile on source directory files, which is destructive and should not happen during a build process.

While the current implementation does not follow symlinks explicitly, the deletion of source files outside of the project during a build operation is possible on Microsoft Windows.

Database specific

{
    "repository": "https://github.com/haskell/security-advisories",
    "home": "https://github.com/haskell/security-advisories",
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export"
}

References

Affected packages

Hackage / Cabal

Package

Name: Cabal
Purl: pkg:hackage/Cabal

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2

Affected versions

2.*

2.2.0.0

2.2.0.1

2.4.0.0

2.4.0.1

2.4.1.0

3.*

3.0.0.0

3.0.1.0

3.0.2.0

3.2.0.0

3.2.1.0

3.4.0.0

3.4.1.0

3.6.0.0

3.6.1.0

3.6.2.0

3.6.3.0

3.8.1.0

3.10.1.0

3.10.2.0

3.10.2.1

3.10.3.0

3.12.0.0

3.12.1.0

3.14.0.0

3.14.1.0

3.14.1.1

3.14.2.0

3.16.0.0

3.16.1.0

Database specific

source

"https://github.com/haskell/security-advisories/blob/generated/osv-export/2026/HSEC-2026-0006.json"

osv

"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2026/HSEC-2026-0006.json"

human_link

"https://github.com/haskell/security-advisories/tree/main/advisories/published/2026/HSEC-2026-0006.md"