Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1987 vulnerabilities reference this CWE, most recent first.

CVE-2026-14891 (GCVE-0-2026-14891)

Vulnerability from cvelistv5 – Published: 2026-07-08 20:09 – Updated: 2026-07-09 03:55
VLAI
Title
Nomad vulnerable to sandbox escape in Docker task driver
Summary
HashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability, CVE-2026-14891, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper Link Resolution Before File Access (Link Following)
Assigner
Impacted products
Vendor Product Version
HashiCorp Nomad Affected: 0.4.1 , < 2.0.4 (semver)
Create a notification for this product.
HashiCorp Nomad Enterprise Affected: 0.4.1 , < 2.0.4 (semver)
Create a notification for this product.
Credits
This issue was reported to HashiCorp by Volkan Kutal, GitHub handle @KutalVolkan.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-14891",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-08T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T03:55:54.984Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Nomad",
          "repo": "https://github.com/hashicorp/nomad",
          "vendor": "HashiCorp",
          "versions": [
            {
              "lessThan": "2.0.4",
              "status": "affected",
              "version": "0.4.1",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Nomad Enterprise",
          "repo": "https://github.com/hashicorp/nomad",
          "vendor": "HashiCorp",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.11.8",
                  "status": "unaffected"
                },
                {
                  "at": "1.10.14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "2.0.4",
              "status": "affected",
              "version": "0.4.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was reported to HashiCorp by Volkan Kutal, GitHub handle @KutalVolkan."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eHashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability, CVE-2026-14891, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.\u003c/p\u003e\u003cbr/\u003e"
            }
          ],
          "value": "HashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability, CVE-2026-14891, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-132",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-132: Symlink Attack"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-08T20:09:05.752Z",
        "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "shortName": "HashiCorp"
      },
      "references": [
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2026-21-nomad-vulnerable-to-sandbox-escape-in-docker-task-driver/77561"
        }
      ],
      "source": {
        "advisory": "HCSEC-2026-21",
        "discovery": "EXTERNAL"
      },
      "title": "Nomad vulnerable to sandbox escape in Docker task driver"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
    "assignerShortName": "HashiCorp",
    "cveId": "CVE-2026-14891",
    "datePublished": "2026-07-08T20:09:05.752Z",
    "dateReserved": "2026-07-06T18:05:48.932Z",
    "dateUpdated": "2026-07-09T03:55:54.984Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-14699 (GCVE-0-2026-14699)

Vulnerability from cvelistv5 – Published: 2026-07-05 03:15 – Updated: 2026-07-06 16:21
VLAI
Title
zcaceres markdownify-mcp Markdownify.ts assertPathAllowed symlink
Summary
A weakness has been identified in zcaceres markdownify-mcp up to 1.1.0. The affected element is the function assertPathAllowed of the file src/Markdownify.ts. Executing a manipulation can lead to symlink following. The attack can only be executed locally. The pull request to fix this issue awaits acceptance.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
zcaceres markdownify-mcp Affected: 1.0
Affected: 1.1.0
    cpe:2.3:a:zcaceres:markdownify-mcp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Dem000000 (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-14699",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-06T16:20:52.255822Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-06T16:21:02.273Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:zcaceres:markdownify-mcp:*:*:*:*:*:*:*:*"
          ],
          "product": "markdownify-mcp",
          "vendor": "zcaceres",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            },
            {
              "status": "affected",
              "version": "1.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Dem000000 (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in zcaceres markdownify-mcp up to 1.1.0. The affected element is the function assertPathAllowed of the file src/Markdownify.ts. Executing a manipulation can lead to symlink following. The attack can only be executed locally. The pull request to fix this issue awaits acceptance."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 1.7,
            "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "Symlink Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "Link Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-05T03:15:08.112Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-376295 | zcaceres markdownify-mcp Markdownify.ts assertPathAllowed symlink",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/376295"
        },
        {
          "name": "VDB-376295 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/376295/cti"
        },
        {
          "name": "CVE-2026-14699 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-14699"
        },
        {
          "name": "Submit #846864 | zcaceres markdownify-mcp / mcp-markdownify-server up to 1.1.0 CWE-59: Improper Link Resolution Before File Access (\u0027Link Follo",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/846864"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/zcaceres/markdownify-mcp/issues/108"
        },
        {
          "tags": [
            "issue-tracking",
            "patch"
          ],
          "url": "https://github.com/zcaceres/markdownify-mcp/pull/109"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/zcaceres/markdownify-mcp/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-04T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-04T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-04T07:27:46.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "zcaceres markdownify-mcp Markdownify.ts assertPathAllowed symlink"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-14699",
    "datePublished": "2026-07-05T03:15:08.112Z",
    "dateReserved": "2026-07-04T05:22:43.104Z",
    "dateUpdated": "2026-07-06T16:21:02.273Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-14361 (GCVE-0-2026-14361)

Vulnerability from cvelistv5 – Published: 2026-07-08 20:11 – Updated: 2026-07-08 20:37
VLAI
Title
Consul-template is vulnerable to path redirection in writeToFile through symlink attack
Summary
The consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper Link Resolution Before File Access (Link Following)
Assigner
Impacted products
Vendor Product Version
HashiCorp Tooling Affected: 0.1.0 , < 0.42.1 (semver)
Create a notification for this product.
Credits
This issue was reported to HashiCorp by Mohamed Abdelaal (0xmrma).
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-14361",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-08T20:37:49.249358Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-08T20:37:56.570Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Tooling",
          "repo": "https://github.com/hashicorp/consul-template",
          "vendor": "HashiCorp",
          "versions": [
            {
              "lessThan": "0.42.1",
              "status": "affected",
              "version": "0.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was reported to HashiCorp by Mohamed Abdelaal (0xmrma)."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1.\u003c/p\u003e\u003cbr/\u003e"
            }
          ],
          "value": "The consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-132",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-132: Symlink Attack"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-08T20:11:32.799Z",
        "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "shortName": "HashiCorp"
      },
      "references": [
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2026-20-consul-template-vulnerable-to-path-redirections-in-writetofile/77559"
        }
      ],
      "source": {
        "advisory": "HCSEC-2026-20",
        "discovery": "EXTERNAL"
      },
      "title": "Consul-template is vulnerable to path redirection in writeToFile through symlink attack"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
    "assignerShortName": "HashiCorp",
    "cveId": "CVE-2026-14361",
    "datePublished": "2026-07-08T20:11:32.799Z",
    "dateReserved": "2026-07-01T19:00:00.428Z",
    "dateUpdated": "2026-07-08T20:37:56.570Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12567 (GCVE-0-2026-12567)

Vulnerability from cvelistv5 – Published: 2026-06-17 21:51 – Updated: 2026-06-18 12:50
VLAI
Title
Symlink-following arbitrary write via github_workflows module
Summary
The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
Impacted products
Vendor Product Version
Black Lantern Security BBOT Affected: 2.0.0 , ≤ <=2.8.4 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12567",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-18T12:50:06.432373Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-18T12:50:13.202Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BBOT",
          "repo": "https://github.com/blacklanternsecurity/bbot",
          "vendor": "Black Lantern Security",
          "versions": [
            {
              "lessThanOrEqual": "\u003c=2.8.4",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location."
            }
          ],
          "value": "The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-132",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-132 Symlink Attack"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.2,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T21:51:35.593Z",
        "orgId": "27b6da8a-f51d-48d9-9eef-9b7f3405d20d",
        "shortName": "BLSOPS"
      },
      "references": [
        {
          "url": "https://github.com/blacklanternsecurity/bbot/commit/16d9c42b6"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Symlink-following arbitrary write via github_workflows module",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "27b6da8a-f51d-48d9-9eef-9b7f3405d20d",
    "assignerShortName": "BLSOPS",
    "cveId": "CVE-2026-12567",
    "datePublished": "2026-06-17T21:51:35.593Z",
    "dateReserved": "2026-06-17T21:49:05.331Z",
    "dateUpdated": "2026-06-18T12:50:13.202Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12391 (GCVE-0-2026-12391)

Vulnerability from cvelistv5 – Published: 2026-07-16 12:17 – Updated: 2026-07-16 13:28
VLAI
Title
ubuntu-pro-client Local Privilege Escalation and Information Disclosure via Symlink Arbitrary File Read in collect-logs
Summary
An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper link resolution before file access ('link following')
Assigner
References
Date Public
2026-07-16 12:00
Credits
Mateusz Gierblinski
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12391",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-16T13:20:30.714803Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-16T13:28:19.156Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/canonical/",
          "defaultStatus": "unaffected",
          "packageName": "ubuntu-pro-client",
          "platforms": [
            "Linux"
          ],
          "product": "ubuntu-pro-client (ubuntu-advantage-tools)",
          "repo": "https://github.com/canonical/ubuntu-pro-client",
          "vendor": "Canonical",
          "versions": [
            {
              "lessThan": "37.3",
              "status": "affected",
              "version": "0",
              "versionType": "python"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/resolute",
          "defaultStatus": "affected",
          "packageName": "ubuntu-advantage-tools",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 26.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "37.2ubuntu0.1",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/noble",
          "defaultStatus": "affected",
          "packageName": "ubuntu-advantage-tools",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 24.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "37.2ubuntu~24.04.1",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/jammy",
          "defaultStatus": "affected",
          "packageName": "ubuntu-advantage-tools",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 22.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "37.2ubuntu~22.04.1",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/focal",
          "defaultStatus": "affected",
          "packageName": "ubuntu-advantage-tools",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 20.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "37.1ubuntu0~20.04.1",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/bionic",
          "defaultStatus": "affected",
          "packageName": "ubuntu-advantage-tools",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 18.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "37.1ubuntu0~18.04.1",
              "versionType": "dpkg"
            }
          ]
        },
        {
          "collectionURL": "https://launchpad.net/ubuntu/xenial",
          "defaultStatus": "affected",
          "packageName": "ubuntu-advantage-tools",
          "platforms": [
            "Linux"
          ],
          "product": "Ubuntu 16.04 LTS",
          "repo": "https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools",
          "vendor": "Canonical",
          "versions": [
            {
              "status": "unaffected",
              "version": "37.1ubuntu0~16.04.1",
              "versionType": "dpkg"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mateusz Gierblinski"
        }
      ],
      "datePublic": "2026-07-16T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An insecure symlink following vulnerability exists in Canonical\u003cbr\u003eubuntu-pro-client (formerly ubuntu-advantage-tools) within the\u003cbr\u003epro collect-logs command framework. The utility creates or utilizes\u003cbr\u003epredictable temporary file paths or user-accessible log directories when\u003cbr\u003egathering diagnostic information without verifying the file type or ownership.\u003cbr\u003eAn unprivileged local attacker can exploit this behavior by creating a\u003cbr\u003esymbolic link (symlink) at a predictable destination path pointing to an\u003cbr\u003earbitrary, root-readable file (such as /etc/shadow or private files within\u003cbr\u003e/root).\u003cbr\u003eWhen a root administrator or operator subsequently executes the\u003cbr\u003epro collect-logs command, the tool follows the user-controlled symlink, reads\u003cbr\u003ethe target file, and compresses its contents into the resulting diagnostic\u003cbr\u003esupport archive. Because the output archive remains readable by the\u003cbr\u003eunprivileged user, the attacker can extract and read the sensitive root-owned\u003cbr\u003efiles, leading to a complete information disclosure of system secrets.\u003cbr\u003e"
            }
          ],
          "value": "An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-132",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-132 Symlink Attack"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper link resolution before file access (\u0027link following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-16T12:17:01.094Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://ubuntu.com/security/CVE-2026-12391"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ubuntu-pro-client Local Privilege Escalation and Information Disclosure via Symlink Arbitrary File Read in collect-logs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2026-12391",
    "datePublished": "2026-07-16T12:17:01.094Z",
    "dateReserved": "2026-06-16T12:15:12.153Z",
    "dateUpdated": "2026-07-16T13:28:19.156Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11940 (GCVE-0-2026-11940)

Vulnerability from cvelistv5 – Published: 2026-06-23 16:04 – Updated: 2026-06-30 15:13
VLAI
Title
tarfile extraction filter bypass allows escaping the destination directory
Summary
tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself.  The extraction fallback validated the symlink at it's archived location but recreated it at the hardlink's shallower path, letting a relative target the filter judged contained escape the destination directory.  This allowed a malicious tar archive to create a symlink pointing outside the destination, enabling out-of-destination file reads or writes. This was an incomplete fix of CVE-2025-4330.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
PSF
Impacted products
Vendor Product Version
Python Software Foundation CPython Affected: 0 , < 3.15.0 (python)
Create a notification for this product.
Credits
Haruki Oyama (https://github.com/harukioya) Stan Ulbrych (https://github.com/StanFromIreland) Petr Viktorin (https://github.com/encukou)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11940",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T17:57:25.652265Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T17:57:32.525Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CPython",
          "repo": "https://github.com/python/cpython",
          "vendor": "Python Software Foundation",
          "versions": [
            {
              "lessThan": "3.15.0",
              "status": "affected",
              "version": "0",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Haruki Oyama (https://github.com/harukioya)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Stan Ulbrych (https://github.com/StanFromIreland)"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Petr Viktorin (https://github.com/encukou)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "type": "text/html",
              "value": "\u003cspan\u003etarfile.extractall()\u003c/span\u003e with the \u003cspan\u003e\u0027data\u0027\u003c/span\u003e or \u003cspan\u003e\u0027tar\u0027\u003c/span\u003e\n filter could be bypassed by a crafted archive where a hardlink \nreferences a symlink stored at a deeper name than the hardlink itself.\u0026nbsp; \nThe extraction fallback validated the symlink at it\u0027s archived location \nbut recreated it at the hardlink\u0027s shallower\u003cbr\u003epath, letting a relative\n target the filter judged contained escape the destination directory.\u0026nbsp; \nThis allowed a malicious tar archive to create a symlink pointing \noutside the destination, enabling out-of-destination file reads or \nwrites. This was an incomplete fix of CVE-2025-4330."
            }
          ],
          "value": "tarfile.extractall() with the \u0027data\u0027 or \u0027tar\u0027\n filter could be bypassed by a crafted archive where a hardlink \nreferences a symlink stored at a deeper name than the hardlink itself.\u00a0 \nThe extraction fallback validated the symlink at it\u0027s archived location \nbut recreated it at the hardlink\u0027s shallower\npath, letting a relative\n target the filter judged contained escape the destination directory.\u00a0 \nThis allowed a malicious tar archive to create a symlink pointing \noutside the destination, enabling out-of-destination file reads or \nwrites. This was an incomplete fix of CVE-2025-4330."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T15:13:33.568Z",
        "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "shortName": "PSF"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/pull/151559"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/LD6QIISNQFQYOIEPJNEUIPV7S3V76FZH/"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/python/cpython/issues/151558"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/27dd970bf6b17ebca7c8ed486a40ab043ed7af8f"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/672825e2f36a57e173959b0d9d409d4560dab8df"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/771d12dda5140313db0ac550292987975651bbde"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/79c06bd5c6afa3c440d50faf7ee1b147c8832b4c"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/be13e86f6b9788a6f4d0419dffef72cbae5865c9"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "tarfile extraction filter bypass allows escaping the destination directory",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
    "assignerShortName": "PSF",
    "cveId": "CVE-2026-11940",
    "datePublished": "2026-06-23T16:04:17.321Z",
    "dateReserved": "2026-06-10T19:50:59.923Z",
    "dateUpdated": "2026-06-30T15:13:33.568Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11837 (GCVE-0-2026-11837)

Vulnerability from cvelistv5 – Published: 2026-06-10 05:03 – Updated: 2026-07-15 01:23
VLAI
Title
Ansible-collection-ansible-posix: ansible.posix authorized_key: local privilege escalation via symlink-following chown
Summary
A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
Impacted products
Date Public
2026-06-10 00:00
Credits
Red Hat would like to thank Valentino Paulon for reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11837",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T13:57:35.655997Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:58:16.264Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10"
            ],
            "defaultStatus": "unaffected",
            "packageName": "rhel-system-roles",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "packageName": "rhc-worker-playbook",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "unaffected",
            "packageName": "rhel-system-roles",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "unaffected",
            "packageName": "rhel-system-roles",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openstack:17.1"
            ],
            "defaultStatus": "affected",
            "packageName": "ansible-collection-ansible-posix",
            "product": "Red Hat OpenStack Platform 17.1",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openstack:18.0"
            ],
            "defaultStatus": "affected",
            "packageName": "ansible-collection-ansible-posix",
            "product": "Red Hat OpenStack Platform 18.0",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-06-10T00:00:00.000Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module\u0027s keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.3,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-59",
                "description": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T01:23:04.815Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-11837"
          },
          {
            "name": "RHBZ#2487424",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487424"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11837.json"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-07T00:00:00.000Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-10T00:00:00.000Z",
            "value": "Made public."
          }
        ],
        "title": "ansible-collection-ansible-posix: ansible.posix authorized_key: local privilege escalation via symlink-following chown",
        "workarounds": [
          {
            "lang": "en",
            "value": "The following practices would help for avoiding exposure and mitigate this flaw:\n\n1) Do not run the ansible.posix authorized_key module with elevated privileges against untrusted user accounts. \n2) Validate that target user home directories do not contain unexpected symbolic links before running playbooks."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhel-system-roles",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhc-worker-playbook",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhel-system-roles",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhel-system-roles",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:17.1"
          ],
          "defaultStatus": "affected",
          "packageName": "ansible-collection-ansible-posix",
          "product": "Red Hat OpenStack Platform 17.1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:18.0"
          ],
          "defaultStatus": "affected",
          "packageName": "ansible-collection-ansible-posix",
          "product": "Red Hat OpenStack Platform 18.0",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Valentino Paulon for reporting this issue."
        }
      ],
      "datePublic": "2026-06-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module\u0027s keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-08T08:36:22.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-11837"
        },
        {
          "name": "RHBZ#2487424",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487424"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-07T00:00:00.000Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-06-10T00:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Ansible-collection-ansible-posix: ansible.posix authorized_key: local privilege escalation via symlink-following chown",
      "workarounds": [
        {
          "lang": "en",
          "value": "The following practices would help for avoiding exposure and mitigate this flaw:\n\n1) Do not run the ansible.posix authorized_key module with elevated privileges against untrusted user accounts. \n2) Validate that target user home directories do not contain unexpected symbolic links before running playbooks."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-11837",
    "datePublished": "2026-06-10T05:03:05.734Z",
    "dateReserved": "2026-06-10T04:10:05.146Z",
    "dateUpdated": "2026-07-15T01:23:04.815Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11322 (GCVE-0-2026-11322)

Vulnerability from cvelistv5 – Published: 2026-06-04 21:58 – Updated: 2026-07-14 15:53
VLAI
Title
Hermes WebUI before 0.51.221 Path Traversal via Symlink Workspace Bypass
Summary
Hermes WebUI prior to v0.51.221 contains a path traversal vulnerability that allows attackers to escape the workspace boundary by supplying symlinks that resolve to files or directories outside the designated workspace root. Attackers can exploit the workspace file and listing APIs, which resolve symlink targets without enforcing that the final path remains within the workspace, to read external host files accessible to the server process and disclose sensitive data such as SSH keys, cloud credentials, or application tokens.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
Impacted products
Vendor Product Version
nesquena Hermes WebUI Affected: 0 , < 0.51.221 (semver)
Create a notification for this product.
Date Public
2026-06-02 21:00
Credits
Chia Min Jun Lennon
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11322",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-05T20:06:29.352173Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-05T20:06:34.729Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/nesquena/hermes-webui/pull/3398"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/nesquena/hermes-webui",
          "defaultStatus": "unknown",
          "product": "Hermes WebUI",
          "vendor": "nesquena",
          "versions": [
            {
              "lessThan": "0.51.221",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:get-hermes:hermes_web_ui:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.51.221",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Chia Min Jun Lennon"
        }
      ],
      "datePublic": "2026-06-02T21:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eHermes WebUI prior to v0.51.221 contains a path traversal vulnerability that allows attackers to escape the workspace boundary by supplying symlinks that resolve to files or directories outside the designated workspace root. Attackers can exploit the workspace file and listing APIs, which resolve symlink targets without enforcing that the final path remains within the workspace, to read external host files accessible to the server process and disclose sensitive data such as SSH keys, cloud credentials, or application tokens.\u003c/p\u003e"
            }
          ],
          "value": "Hermes WebUI prior to v0.51.221 contains a path traversal vulnerability that allows attackers to escape the workspace boundary by supplying symlinks that resolve to files or directories outside the designated workspace root. Attackers can exploit the workspace file and listing APIs, which resolve symlink targets without enforcing that the final path remains within the workspace, to read external host files accessible to the server process and disclose sensitive data such as SSH keys, cloud credentials, or application tokens."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T15:53:04.733Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/nesquena/hermes-webui/pull/3398"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/nesquena/hermes-webui/commit/7c48c376299b8058fd35127a59aefadded7e4a92"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/hermes-webui-before-path-traversal-via-symlink-workspace-bypass"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Hermes WebUI before 0.51.221 Path Traversal via Symlink Workspace Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-11322",
    "datePublished": "2026-06-04T21:58:47.308Z",
    "dateReserved": "2026-06-04T21:29:10.986Z",
    "dateUpdated": "2026-07-14T15:53:04.733Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9804 (GCVE-0-2026-9804)

Vulnerability from cvelistv5 – Published: 2026-05-28 08:15 – Updated: 2026-07-15 00:38
VLAI
Title
Kubevirt: kubevirt: vmexport directory symlink escape enables exporter pod file read
Summary
A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (PVC) that points outside its designated mount root, the attacker can read arbitrary files from the exporter pod's filesystem. This leads to information disclosure, potentially exposing sensitive data.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
URL Tags
https://access.redhat.com/errata/RHSA-2026:27903 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27913 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27914 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27983 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:28002 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-9804 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2482487 issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
Impacted products
Vendor Product Version
Red Hat Red Hat Container Native Virtualization 4.17 Unaffected: 1781757410 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.17::el9
Create a notification for this product.
Red Hat Red Hat Container Native Virtualization 4.18 Unaffected: 1781928221 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.18::el9
Create a notification for this product.
Red Hat Red Hat Container Native Virtualization 4.19 Unaffected: 1781590993 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat Red Hat Container Native Virtualization 4.20 Unaffected: 1781838712 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.20::el9
Create a notification for this product.
Red Hat Red Hat Container Native Virtualization 4.21 Unaffected: 1782012918 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.21::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Virtualization 4     cpe:/a:redhat:container_native_virtualization:4
Create a notification for this product.
Date Public
2026-05-28 06:00
Credits
Red Hat would like to thank Thai Son Dinh, GitHub: @sondt99 (VinSOC) for reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9804",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-30T01:54:32.833433Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-30T01:54:43.739Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.17::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-exportserver-rhel9",
            "product": "Red Hat Container Native Virtualization 4.17",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1781757410",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.18::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-exportserver-rhel9",
            "product": "Red Hat Container Native Virtualization 4.18",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1781928221",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-exportserver-rhel9",
            "product": "Red Hat Container Native Virtualization 4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1781590993",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.20::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-exportserver-rhel9",
            "product": "Red Hat Container Native Virtualization 4.20",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1781838712",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.21::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-exportserver-rhel9",
            "product": "Red Hat Container Native Virtualization 4.21",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1782012918",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-exportserver",
            "product": "Red Hat OpenShift Virtualization 4",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-28T06:00:00.000Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in KubeVirt\u0027s virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (PVC) that points outside its designated mount root, the attacker can read arbitrary files from the exporter pod\u0027s filesystem. This leads to information disclosure, potentially exposing sensitive data."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-59",
                "description": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T00:38:26.784Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-9804"
          },
          {
            "name": "RHBZ#2482487",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482487"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9804.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28002"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27913"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27914"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27983"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27903"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:28002: Red Hat Container Native Virtualization 4.17"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27913: Red Hat Container Native Virtualization 4.18"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27914: Red Hat Container Native Virtualization 4.19"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27983: Red Hat Container Native Virtualization 4.20"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27903: Red Hat Container Native Virtualization 4.21"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-18T00:00:00.000Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-28T06:00:00.000Z",
            "value": "Made public."
          }
        ],
        "title": "kubevirt: kubevirt: VMExport directory symlink escape enables exporter pod file read",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.17::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-exportserver-rhel9",
          "product": "Red Hat Container Native Virtualization 4.17",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1781757410",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.18::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-exportserver-rhel9",
          "product": "Red Hat Container Native Virtualization 4.18",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1781928221",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-exportserver-rhel9",
          "product": "Red Hat Container Native Virtualization 4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1781590993",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.20::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-exportserver-rhel9",
          "product": "Red Hat Container Native Virtualization 4.20",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1781838712",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.21::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-exportserver-rhel9",
          "product": "Red Hat Container Native Virtualization 4.21",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1782012918",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-exportserver",
          "product": "Red Hat OpenShift Virtualization 4",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Thai Son Dinh, GitHub: @sondt99 (VinSOC) for reporting this issue."
        }
      ],
      "datePublic": "2026-05-28T06:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in KubeVirt\u0027s virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (PVC) that points outside its designated mount root, the attacker can read arbitrary files from the exporter pod\u0027s filesystem. This leads to information disclosure, potentially exposing sensitive data."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-22T19:24:45.875Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:27903",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:27903"
        },
        {
          "name": "RHSA-2026:27913",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:27913"
        },
        {
          "name": "RHSA-2026:27914",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:27914"
        },
        {
          "name": "RHSA-2026:27983",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:27983"
        },
        {
          "name": "RHSA-2026:28002",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:28002"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-9804"
        },
        {
          "name": "RHBZ#2482487",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482487"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-18T00:00:00.000Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-05-28T06:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Kubevirt: kubevirt: vmexport directory symlink escape enables exporter pod file read",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-9804",
    "datePublished": "2026-05-28T08:15:39.779Z",
    "dateReserved": "2026-05-28T06:10:07.134Z",
    "dateUpdated": "2026-07-15T00:38:26.784Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8784 (GCVE-0-2026-8784)

Vulnerability from cvelistv5 – Published: 2026-05-18 02:30 – Updated: 2026-05-18 12:24 X_Open Source
VLAI
Title
npitre cramfs-tools cramfsck.c change_file_status symlink
Summary
A vulnerability was detected in npitre cramfs-tools up to 2.2. Affected is the function change_file_status of the file cramfsck.c. Performing a manipulation results in symlink following. The attack requires a local approach. The exploit is now public and may be used. The patch is named b4a3a695c9873f824907bd15659f2a6ac7667b4f. It is recommended to apply a patch to fix this issue.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
npitre cramfs-tools Affected: 2.0
Affected: 2.1
Affected: 2.2
    cpe:2.3:a:npitre:cramfs-tools:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
nich0las (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8784",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-18T12:24:11.194480Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-18T12:24:18.988Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:npitre:cramfs-tools:*:*:*:*:*:*:*:*"
          ],
          "product": "cramfs-tools",
          "vendor": "npitre",
          "versions": [
            {
              "status": "affected",
              "version": "2.0"
            },
            {
              "status": "affected",
              "version": "2.1"
            },
            {
              "status": "affected",
              "version": "2.2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "nich0las (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was detected in npitre cramfs-tools up to 2.2. Affected is the function change_file_status of the file cramfsck.c. Performing a manipulation results in symlink following. The attack requires a local approach. The exploit is now public and may be used. The patch is named b4a3a695c9873f824907bd15659f2a6ac7667b4f. It is recommended to apply a patch to fix this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4,
            "vectorString": "AV:L/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "Symlink Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "Link Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-18T02:30:13.275Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-364408 | npitre cramfs-tools cramfsck.c change_file_status symlink",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/364408"
        },
        {
          "name": "VDB-364408 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/364408/cti"
        },
        {
          "name": "Submit #811897 | GNU cramfs-tools below v2.2 Symlink Following",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/811897"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/npitre/cramfs-tools/issues/13"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/npitre/cramfs-tools/issues/13#issuecomment-4306102583"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/npitre/cramfs-tools/commit/b4a3a695c9873f824907bd15659f2a6ac7667b4f"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/npitre/cramfs-tools/"
        }
      ],
      "tags": [
        "x_open-source"
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-17T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-05-17T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-05-17T12:04:24.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "npitre cramfs-tools cramfsck.c change_file_status symlink"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-8784",
    "datePublished": "2026-05-18T02:30:13.275Z",
    "dateReserved": "2026-05-17T09:59:14.863Z",
    "dateUpdated": "2026-05-18T12:24:18.988Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.