GHSA-FQ3W-P4FG-MW73
Vulnerability from github – Published: 2026-06-25 18:00 – Updated: 2026-06-25 18:00Impact
Affects: Anyone who generates the UNIX man pages in Fuji <= 0.8.0 build with the dev crate feature.
Consequences: /usr/share/man/man8 may be entirely removed & re-created without any of the previous entries.
Patches
At the time of writing, no new version has been released on crates.io, due to an unrelated CI/CD publishing issue. Due to the same unrelated publishing issue, no new GitHub Releases version has been released.
Workarounds
Do not run fuji manual on non-dev builds for versions <= 0.8.0.
Additional Information
This bug results from development-only code being accidentally left in for release use.
Previous versions of Fuji are still "safe" to use, provided that you do not run fuji manual.
There is no malicious potential from this, it's just a major annoyance to accidentally remove all your sysadmin man pages.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.0"
},
"package": {
"ecosystem": "crates.io",
"name": "fixurjavainstall"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-489"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T18:00:18Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nAffects: Anyone who generates the UNIX man pages in Fuji \u003c= `0.8.0` build with the `dev` crate feature.\nConsequences: `/usr/share/man/man8` may be entirely removed \u0026 re-created without any of the previous entries.\n\n### Patches\nAt the time of writing, no new version has been released on crates.io, due to an unrelated CI/CD publishing issue.\nDue to the same unrelated publishing issue, no new GitHub Releases version has been released.\n\n### Workarounds\nDo not run `fuji manual` on non-`dev` builds for versions \u003c= `0.8.0`.\n\n### Additional Information\nThis bug results from development-only code being accidentally left in for release use.\nPrevious versions of Fuji are still \"safe\" to use, provided that you do not run `fuji manual`.\nThere is no malicious potential from this, it\u0027s just a major annoyance to accidentally remove all your sysadmin man pages.",
"id": "GHSA-fq3w-p4fg-mw73",
"modified": "2026-06-25T18:00:18Z",
"published": "2026-06-25T18:00:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/EpicVon2468/fixurjavainstall/security/advisories/GHSA-fq3w-p4fg-mw73"
},
{
"type": "PACKAGE",
"url": "https://github.com/EpicVon2468/fixurjavainstall"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "fixurjavainstall: Previous Fuji versions can accidentally wipe `/usr/share/man/man8`"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.