CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1992 vulnerabilities reference this CWE, most recent first.
GHSA-HGX9-224C-3P2X
Vulnerability from github – Published: 2026-06-16 21:31 – Updated: 2026-06-16 21:31Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as "RoguePlanet ". We are working to provide a high quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available.
{
"affected": [],
"aliases": [
"CVE-2026-50656"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-16T19:16:59Z",
"severity": "HIGH"
},
"details": "Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as \u0026quot;RoguePlanet \u0026quot;. We are working to provide a high quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available.",
"id": "GHSA-hgx9-224c-3p2x",
"modified": "2026-06-16T21:31:57Z",
"published": "2026-06-16T21:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50656"
},
{
"type": "WEB",
"url": "https://github.com/MSNightmare/RoguePlanet"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HH95-R7MJ-C9J5
Vulnerability from github – Published: 2026-06-29 15:32 – Updated: 2026-07-03 15:31attr before version 2.6.0 contains a symlink traversal vulnerability in the getfattr and setfattr utilities that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link during directory hierarchy traversal. Attackers who control a pathname component can redirect getfattr and setfattr operations to arbitrary files by substituting a symlink, leading to local privilege escalation when getfattr or setfattr is invoked by a privileged process over an attacker-controlled path.
{
"affected": [],
"aliases": [
"CVE-2026-54371"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T14:16:57Z",
"severity": "HIGH"
},
"details": "attr before version 2.6.0 contains a symlink traversal vulnerability in the getfattr and setfattr utilities that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link during directory hierarchy traversal. Attackers who control a pathname component can redirect getfattr and setfattr operations to arbitrary files by substituting a symlink, leading to local privilege escalation when getfattr or setfattr is invoked by a privileged process over an attacker-controlled path.",
"id": "GHSA-hh95-r7mj-c9j5",
"modified": "2026-07-03T15:31:56Z",
"published": "2026-06-29T15:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54371"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34889"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-54371"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490283"
},
{
"type": "WEB",
"url": "https://cgit.git.savannah.nongnu.org/cgit/attr.git/commit/?id=49f79e947270f06940b9100fa638f85dddc4aa7f"
},
{
"type": "WEB",
"url": "https://cgit.git.savannah.nongnu.org/cgit/attr.git/commit/?id=c440855d6b33446edf4b5eb1a2d892281f15a99b"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54371.json"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/attr-symlink-traversal-privilege-escalation-via-getfattr-setfattr"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HH9C-WJP6-58H4
Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18rc.sysinit in initscripts 8.12-8.21 and 8.56.15-0.1 on rPath allows local users to delete arbitrary files via a symlink attack on a directory under (1) /var/lock or (2) /var/run. NOTE: this issue exists because of a race condition in an incorrect fix for CVE-2008-3524. NOTE: exploitation may require an unusual scenario in which rc.sysinit is executed other than at boot time.
{
"affected": [],
"aliases": [
"CVE-2008-4832"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-17T23:30:00Z",
"severity": "MODERATE"
},
"details": "rc.sysinit in initscripts 8.12-8.21 and 8.56.15-0.1 on rPath allows local users to delete arbitrary files via a symlink attack on a directory under (1) /var/lock or (2) /var/run. NOTE: this issue exists because of a race condition in an incorrect fix for CVE-2008-3524. NOTE: exploitation may require an unusual scenario in which rc.sysinit is executed other than at boot time.",
"id": "GHSA-hh9c-wjp6-58h4",
"modified": "2022-05-17T02:18:59Z",
"published": "2022-05-17T02:18:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4832"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46700"
},
{
"type": "WEB",
"url": "https://issues.rpath.com/browse/RPL-2857"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32710"
},
{
"type": "WEB",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0318"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HHC7-JQ5J-875Q
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:04snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory.
{
"affected": [],
"aliases": [
"CVE-2019-11502"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-24T21:29:00Z",
"severity": "HIGH"
},
"details": "snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory.",
"id": "GHSA-hhc7-jq5j-875q",
"modified": "2024-04-04T00:04:44Z",
"published": "2022-05-24T16:44:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11502"
},
{
"type": "WEB",
"url": "https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/04/25/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HHJM-W4MX-FGWH
Vulnerability from github – Published: 2022-05-02 03:19 – Updated: 2022-05-02 03:19Sun xVM VirtualBox 2.0.0, 2.0.2, 2.0.4, 2.0.6r39760, 2.1.0, 2.1.2, and 2.1.4r42893 on Linux allows local users to gain privileges via a hardlink attack, which preserves setuid/setgid bits on Linux, related to DT_RPATH:$ORIGIN.
{
"affected": [],
"aliases": [
"CVE-2009-0876"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-03-12T15:20:00Z",
"severity": "MODERATE"
},
"details": "Sun xVM VirtualBox 2.0.0, 2.0.2, 2.0.4, 2.0.6r39760, 2.1.0, 2.1.2, and 2.1.4r42893 on Linux allows local users to gain privileges via a hardlink attack, which preserves setuid/setgid bits on Linux, related to DT_RPATH:$ORIGIN.",
"id": "GHSA-hhjm-w4mx-fgwh",
"modified": "2022-05-02T03:19:02Z",
"published": "2022-05-02T03:19:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0876"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=260331"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49193"
},
{
"type": "WEB",
"url": "http://osvdb.org/52580"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/34232"
},
{
"type": "WEB",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-254568-1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2009/03/15/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2009/03/17/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/34080"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1021841"
},
{
"type": "WEB",
"url": "http://www.virtualbox.org/ticket/3444"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2009/0674"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HHV8-FQHV-49R6
Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18create_lazarus_export_tgz.sh in lazarus 0.9.24 allows local users to overwrite or delete arbitrary files via a symlink attack on a (1) /tmp/lazarus.tgz temporary file or a (2) /tmp/lazarus temporary directory.
{
"affected": [],
"aliases": [
"CVE-2008-5007"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-10T14:12:00Z",
"severity": "MODERATE"
},
"details": "create_lazarus_export_tgz.sh in lazarus 0.9.24 allows local users to overwrite or delete arbitrary files via a symlink attack on a (1) /tmp/lazarus.tgz temporary file or a (2) /tmp/lazarus temporary directory.",
"id": "GHSA-hhv8-fqhv-49r6",
"modified": "2022-05-17T02:18:26Z",
"published": "2022-05-17T02:18:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5007"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235828"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44824"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496377"
},
{
"type": "WEB",
"url": "http://code.google.com/p/bollin/source/browse/lazarus/trunk/debian/patches/07_sh_using_tmp.dpatch?spec=svn3462\u0026r=3462"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/lazarus-src"
},
{
"type": "WEB",
"url": "http://uvw.ru/report.lenny.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30917"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HJC9-48R3-J77H
Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18perl.robot in realtimebattle 1.0.8 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl.robot.log temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-4981"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-06T15:55:00Z",
"severity": "MODERATE"
},
"details": "perl.robot in realtimebattle 1.0.8 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl.robot.log temporary file.",
"id": "GHSA-hjc9-48r3-j77h",
"modified": "2022-05-17T02:18:28Z",
"published": "2022-05-17T02:18:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4981"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44882"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496385"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/realtimebattle-common"
},
{
"type": "WEB",
"url": "http://uvw.ru/report.lenny.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30967"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HJR9-62GJ-CHHF
Vulnerability from github – Published: 2026-04-23 21:31 – Updated: 2026-04-23 21:31This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code execution, whereby an attacker may exploit the vulnerability to execute malicious code with elevated SYSTEM privileges.
{
"affected": [],
"aliases": [
"CVE-2026-33694"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-23T19:17:28Z",
"severity": "HIGH"
},
"details": "This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code execution, whereby an attacker may exploit the vulnerability to execute malicious code with elevated SYSTEM privileges.",
"id": "GHSA-hjr9-62gj-chhf",
"modified": "2026-04-23T21:31:23Z",
"published": "2026-04-23T21:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33694"
},
{
"type": "WEB",
"url": "https://tenable.com/security/tns-2026-12"
},
{
"type": "WEB",
"url": "https://tenable.com/security/tns-2026-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HMF4-4CCH-P9XH
Vulnerability from github – Published: 2022-05-17 05:52 – Updated: 2022-05-17 05:52dhis-dummy-log-engine in dhis-server 5.3 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/dhis-dummy-log-engine.log temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-4947"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-05T15:00:00Z",
"severity": "MODERATE"
},
"details": "dhis-dummy-log-engine in dhis-server 5.3 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/dhis-dummy-log-engine.log temporary file.",
"id": "GHSA-hmf4-4cch-p9xh",
"modified": "2022-05-17T05:52:20Z",
"published": "2022-05-17T05:52:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4947"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496388"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/dhis-server"
},
{
"type": "WEB",
"url": "http://uvw.ru/report.lenny.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30900"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HP47-JVH8-33RQ
Vulnerability from github – Published: 2022-05-01 18:09 – Updated: 2022-05-01 18:09Session fixation vulnerability in eggblog 3.1.0 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.
{
"affected": [],
"aliases": [
"CVE-2007-2978"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-06-01T01:30:00Z",
"severity": "MODERATE"
},
"details": "Session fixation vulnerability in eggblog 3.1.0 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.",
"id": "GHSA-hp47-jvh8-33rq",
"modified": "2022-05-01T18:09:12Z",
"published": "2022-05-01T18:09:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-2978"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34549"
},
{
"type": "WEB",
"url": "http://osvdb.org/36734"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/25443"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/2756"
},
{
"type": "WEB",
"url": "http://www.majorsecurity.de/index_2.php?major_rls=major_rls48"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/469888/100/0/threaded"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.