In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8256-1 advisory.

    Andrew Nesbitt discovered that opam did not properly validate file destination paths in package install     files. An attacker could use this issue to bypass sandbox protections and write files to arbitrary     locations, possibly leading to arbitrary code execution.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 9b5d6fbb-4893-11f1-82bf-3c7c3fba4204 advisory.

    https://github.com/ocaml/opam/releases/tag/2.5.1 reports:
    In OCaml opam before 2.5.1, a .install field containing a destination     filepath can use ../ to reach a parent directory.
    Reported by Andrew Nesbitt <andrewnez@gmail.com>.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4541 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4541-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/               Emilio Pozuelo Monfort     April 21, 2026                                https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : opam     Version        : 2.0.8-1+deb11u1     CVE ID         : CVE-2026-41082

    Andrew Nesbitt discovered that .install file directives were     insufficiently restricted in OPAM, a package manager for OCaml. This     could result in directory traversal out of the package area.

    For Debian 11 bullseye, this problem has been fixed in version     2.0.8-1+deb11u1.

    We recommend that you upgrade your opam packages.

    For the detailed security status of opam please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/opam

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6216 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6216-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     April 17, 2026                        https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : opam     CVE ID         : CVE-2026-41082

    Andrew Nesbitt discovered that .install file directives were     insufficiently restricted in OPAM, a package manager for OCaml. This     could result in directory traversal out of the package area.

    For the oldstable distribution (bookworm), this problem has been fixed     in version 2.1.2-1+deb12u1.

    For the stable distribution (trixie), this problem has been fixed in     version 2.3.0-1+deb13u1.

    We recommend that you upgrade your opam packages.

    For the detailed security status of opam please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/opam

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a     parent directory. (CVE-2026-41082)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
314209	Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : opam vulnerability (USN-8256-1)	Nessus	Ubuntu Local Security Checks	high
312250	FreeBSD : devel/ocaml-opam -- CWE-24 Path Traversal: '../filedir' (9b5d6fbb-4893-11f1-82bf-3c7c3fba4204)	Nessus	FreeBSD Local Security Checks	high
307900	Debian dla-4541 : opam - security update	Nessus	Debian Local Security Checks	high
307613	Debian dsa-6216 : opam - security update	Nessus	Debian Local Security Checks	high
306846	Linux Distros Unpatched Vulnerability : CVE-2026-41082	Nessus	Misc.	high

Detections

Analytics

CVE-2026-41082

high

Tenable Plugins

high

high

high

high

high