CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1990 vulnerabilities reference this CWE, most recent first.
GHSA-JX8M-XM6X-225Q
Vulnerability from github – Published: 2022-04-29 01:26 – Updated: 2024-01-26 18:30cci_dir in IBM U2 UniVerse 10.0.0.9 and earlier creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.
{
"affected": [],
"aliases": [
"CVE-2003-0578"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2003-08-18T04:00:00Z",
"severity": "MODERATE"
},
"details": "cci_dir in IBM U2 UniVerse 10.0.0.9 and earlier creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.",
"id": "GHSA-jx8m-xm6x-225q",
"modified": "2024-01-26T18:30:30Z",
"published": "2022-04-29T01:26:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0578"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0025.html"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=105839150004682\u0026w=2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JXHX-2GQW-C77X
Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2022-05-24 17:02The chkstat tool in the permissions package followed symlinks before commit a9e1d26cd49ef9ee0c2060c859321128a6dd4230 (please also check the additional hardenings after this fix). This allowed local attackers with control over a path that is traversed by chkstat to escalate privileges.
{
"affected": [],
"aliases": [
"CVE-2019-3690"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-05T16:15:00Z",
"severity": "HIGH"
},
"details": "The chkstat tool in the permissions package followed symlinks before commit a9e1d26cd49ef9ee0c2060c859321128a6dd4230 (please also check the additional hardenings after this fix). This allowed local attackers with control over a path that is traversed by chkstat to escalate privileges.",
"id": "GHSA-jxhx-2gqw-c77x",
"modified": "2022-05-24T17:02:46Z",
"published": "2022-05-24T17:02:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3690"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1150734"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00024.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JXPQ-C7WX-P6H2
Vulnerability from github – Published: 2022-05-17 03:05 – Updated: 2022-05-17 03:05The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537.
{
"affected": [],
"aliases": [
"CVE-2014-5029"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-07-29T14:55:00Z",
"severity": "LOW"
},
"details": "The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537.",
"id": "GHSA-jxpq-c7wx-p6h2",
"modified": "2022-05-17T03:05:53Z",
"published": "2022-05-17T03:05:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5029"
},
{
"type": "WEB",
"url": "https://cups.org/str.php?L4455"
},
{
"type": "WEB",
"url": "http://advisories.mageia.org/MGASA-2014-0313.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1388.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/60509"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/60787"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2014/dsa-2990"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:108"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/07/22/13"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/07/22/2"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2341-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JXRQ-8FM4-9P58
Vulnerability from github – Published: 2026-03-03 23:09 – Updated: 2026-03-03 23:09Summary
A path confinement bypass in OpenClaw ZIP extraction allowed writes outside the intended destination when a pre-existing symlink was present under the extraction root.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version at triage time:
2026.2.21-2 - Affected versions:
<= 2026.2.21-2 - Planned patched version for next release:
2026.2.22
Technical Details
The vulnerable path was in src/infra/archive.ts ZIP extraction logic. Output-path checks were lexical, but writes could still traverse an existing symlink in destination path segments.
The fix blocks this by: - rejecting symlink traversal in destination path segments, - validating resolved destination paths remain inside the extraction root, - using no-follow file opens for ZIP output writes where supported, - adding a regression test for pre-seeded destination symlink traversal.
Impact
- Type: Arbitrary file write outside extraction root via symlink traversal during ZIP extraction.
- Preconditions: attacker-controlled archive extraction plus pre-existing symlink in destination path.
Fix Commit(s)
- 4b226b74f5fd3b106a83a6347fd404172e2fd246
Release Process Note
Patched version is pre-set to the planned next release (2026.2.22).
Once npm release 2026.2.22 is published, the advisory can be published without further field edits.
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T23:09:31Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nA path confinement bypass in OpenClaw ZIP extraction allowed writes outside the intended destination when a pre-existing symlink was present under the extraction root.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version at triage time: `2026.2.21-2`\n- Affected versions: `\u003c= 2026.2.21-2`\n- Planned patched version for next release: `2026.2.22`\n\n### Technical Details\nThe vulnerable path was in `src/infra/archive.ts` ZIP extraction logic. Output-path checks were lexical, but writes could still traverse an existing symlink in destination path segments.\n\nThe fix blocks this by:\n- rejecting symlink traversal in destination path segments,\n- validating resolved destination paths remain inside the extraction root,\n- using no-follow file opens for ZIP output writes where supported,\n- adding a regression test for pre-seeded destination symlink traversal.\n\n### Impact\n- Type: Arbitrary file write outside extraction root via symlink traversal during ZIP extraction.\n- Preconditions: attacker-controlled archive extraction plus pre-existing symlink in destination path.\n\n### Fix Commit(s)\n- 4b226b74f5fd3b106a83a6347fd404172e2fd246\n\n### Release Process Note\nPatched version is pre-set to the planned next release (`2026.2.22`).\nOnce npm release `2026.2.22` is published, the advisory can be published without further field edits.\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-jxrq-8fm4-9p58",
"modified": "2026-03-03T23:09:31Z",
"published": "2026-03-03T23:09:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jxrq-8fm4-9p58"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/4b226b74f5fd3b106a83a6347fd404172e2fd246"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Zip extraction symlink traversal could write outside destination"
}
GHSA-JXVM-52QC-QCP4
Vulnerability from github – Published: 2026-04-29 15:30 – Updated: 2026-06-06 09:31Improper link resolution before file access ('link following') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus About allows Symlink Attack.
This issue affects Pardus About: before v1.2.1.
{
"affected": [],
"aliases": [
"CVE-2026-5161"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-29T15:16:08Z",
"severity": "HIGH"
},
"details": "Improper link resolution before file access (\u0027link following\u0027) vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus About allows Symlink Attack.\n\nThis issue affects Pardus About: before v1.2.1.",
"id": "GHSA-jxvm-52qc-qcp4",
"modified": "2026-06-06T09:31:16Z",
"published": "2026-04-29T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5161"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0131"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-26-0131"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JXW3-C37C-7RFX
Vulnerability from github – Published: 2023-04-21 21:30 – Updated: 2024-04-04 03:38The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.
{
"affected": [],
"aliases": [
"CVE-2022-47505"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-21T20:15:07Z",
"severity": "HIGH"
},
"details": "The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.",
"id": "GHSA-jxw3-c37c-7rfx",
"modified": "2024-04-04T03:38:18Z",
"published": "2023-04-21T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47505"
},
{
"type": "WEB",
"url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm"
},
{
"type": "WEB",
"url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47505"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M27F-97WM-9GQR
Vulnerability from github – Published: 2026-05-05 15:31 – Updated: 2026-05-05 15:31A security flaw has been discovered in IObit Advanced SystemCare 19. This affects an unknown part of the file ASC.exe of the component Service. The manipulation results in symlink following. Attacking locally is a requirement. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks.
{
"affected": [],
"aliases": [
"CVE-2026-7832"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-05T13:16:31Z",
"severity": "MODERATE"
},
"details": "A security flaw has been discovered in IObit Advanced SystemCare 19. This affects an unknown part of the file ASC.exe of the component Service. The manipulation results in symlink following. Attacking locally is a requirement. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks.",
"id": "GHSA-m27f-97wm-9gqr",
"modified": "2026-05-05T15:31:36Z",
"published": "2026-05-05T15:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7832"
},
{
"type": "WEB",
"url": "https://github.com/usernameone101/Writeups/blob/main/IObit%20Zero%20Day%20(Updated%20v2).pdf"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/797630"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/361111"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/361111/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M2G8-2VHM-M4CX
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. The application supports the extraction of user-provided RAR files without proper validation. The Python rarfile module, which supports symlinks, can be exploited to perform arbitrary file writes. This can lead to remote code execution by writing to sensitive files such as SSH keys, crontab files, or the application's own code.
{
"affected": [],
"aliases": [
"CVE-2024-12390"
],
"database_specific": {
"cwe_ids": [
"CWE-475",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:28Z",
"severity": "HIGH"
},
"details": "A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. The application supports the extraction of user-provided RAR files without proper validation. The Python rarfile module, which supports symlinks, can be exploited to perform arbitrary file writes. This can lead to remote code execution by writing to sensitive files such as SSH keys, crontab files, or the application\u0027s own code.",
"id": "GHSA-m2g8-2vhm-m4cx",
"modified": "2025-03-20T12:32:43Z",
"published": "2025-03-20T12:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12390"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/1add2b26-460d-4aa5-8fda-ab045d153177"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M3PV-JRFQ-7XP6
Vulnerability from github – Published: 2024-11-23 03:31 – Updated: 2024-11-23 03:31Panda Security Dome Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the PSANHost executable. By creating a junction, an attacker can abuse the service to create arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23413.
{
"affected": [],
"aliases": [
"CVE-2024-7243"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T22:15:17Z",
"severity": "HIGH"
},
"details": "Panda Security Dome Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the PSANHost executable. By creating a junction, an attacker can abuse the service to create arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23413.",
"id": "GHSA-m3pv-jrfq-7xp6",
"modified": "2024-11-23T03:31:58Z",
"published": "2024-11-23T03:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7243"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M3QC-45F7-WFVH
Vulnerability from github – Published: 2022-04-30 18:17 – Updated: 2022-04-30 18:17fetchmailconf in fetchmail before 5.7.4 allows local users to overwrite files of other users via a symlink attack on temporary files.
{
"affected": [],
"aliases": [
"CVE-2001-1378"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2001-09-06T04:00:00Z",
"severity": "LOW"
},
"details": "fetchmailconf in fetchmail before 5.7.4 allows local users to overwrite files of other users via a symlink attack on temporary files.",
"id": "GHSA-m3qc-45f7-wfvh",
"modified": "2022-04-30T18:17:55Z",
"published": "2022-04-30T18:17:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2001-1378"
},
{
"type": "WEB",
"url": "http://lists.ccil.org/pipermail/fetchmail-announce/2001-March/000015.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2001-103.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.