CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1987 vulnerabilities reference this CWE, most recent first.
GHSA-9C49-89G5-WCX6
Vulnerability from github – Published: 2022-05-02 00:05 – Updated: 2022-05-02 00:05migrate_aliases.sh in Citadel Server 7.37 allows local users to overwrite arbitrary files via a symlink attack on a temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-3930"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-09-04T18:41:00Z",
"severity": "MODERATE"
},
"details": "migrate_aliases.sh in Citadel Server 7.37 allows local users to overwrite arbitrary files via a symlink attack on a temporary file.",
"id": "GHSA-9c49-89g5-wcx6",
"modified": "2022-05-02T00:05:06Z",
"published": "2022-05-02T00:05:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3930"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44734"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496359"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/citadel-server"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/31648"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30877"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9C4H-XHG9-X3GJ
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2026-02-12 00:31A path or symbolic link manipulation vulnerability in SIR 1.0.3 and prior versions allows an authenticated non-admin local user to overwrite system files with SIR backup files, which can potentially cause a system crash. This was achieved by adding a malicious entry to the registry under the Trellix SIR registry folder or via policy or with a junction symbolic link to files that the user would not normally have permission to acces
{
"affected": [],
"aliases": [
"CVE-2025-3771"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-26T11:15:29Z",
"severity": "HIGH"
},
"details": "A path or symbolic link manipulation vulnerability in SIR 1.0.3 and prior versions allows an authenticated non-admin local user to overwrite system files with SIR backup files, which can potentially cause a system crash. This was achieved by adding a malicious entry to the registry under the Trellix SIR registry folder or via policy or with a junction symbolic link to files that the user would not normally have permission to acces",
"id": "GHSA-9c4h-xhg9-x3gj",
"modified": "2026-02-12T00:31:02Z",
"published": "2025-06-26T21:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3771"
},
{
"type": "WEB",
"url": "https://thrive.trellix.com/s/article/000014635"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9C6C-F33Q-QHR3
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-02-27 21:31In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1, an NFS problem could allow an authenticated attacker to access the contents of arbitrary files on the affected device.
{
"affected": [],
"aliases": [
"CVE-2019-11538"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-26T02:29:00Z",
"severity": "HIGH"
},
"details": "In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1, an NFS problem could allow an authenticated attacker to access the contents of arbitrary files on the affected device.",
"id": "GHSA-9c6c-f33q-qhr3",
"modified": "2024-02-27T21:31:21Z",
"published": "2022-05-24T16:44:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11538"
},
{
"type": "WEB",
"url": "https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study"
},
{
"type": "WEB",
"url": "https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf"
},
{
"type": "WEB",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/927237"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108073"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9C9V-W225-V5RG
Vulnerability from github – Published: 2023-08-15 20:35 – Updated: 2023-08-23 17:19Impact
A vulnerability in Ghost allows authenticated users to upload files which are symlinks. This can be exploited to perform an arbitrary file read of any file on the operating system.
Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's content/ folder
Vulnerable versions
This security vulnerability is present in Ghost ≤ v5.59.0.
Patches
v5.59.1 contains a fix for this issue.
For more information
If you have any questions or comments about this advisory: * Email us at security@ghost.org
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ghost"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.59.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-40028"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-15T20:35:20Z",
"nvd_published_at": "2023-08-15T18:15:10Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA vulnerability in Ghost allows authenticated users to upload files which are symlinks. This can be exploited to perform an arbitrary file read of any file on the operating system.\n\nSite administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost\u0027s `content/` folder\n\n### Vulnerable versions\n\nThis security vulnerability is present in Ghost \u2264 v5.59.0.\n\n### Patches\n\nv5.59.1 contains a fix for this issue.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Email us at [security@ghost.org](mailto:security@ghost.org)\n",
"id": "GHSA-9c9v-w225-v5rg",
"modified": "2023-08-23T17:19:50Z",
"published": "2023-08-15T20:35:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40028"
},
{
"type": "WEB",
"url": "https://github.com/TryGhost/Ghost/commit/690fbf3f7302ff3f77159c0795928bdd20f41205"
},
{
"type": "PACKAGE",
"url": "https://github.com/TryGhost/Ghost"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ghost vulnerable to arbitrary file read via symlinks in content import"
}
GHSA-9CV6-73MR-84FW
Vulnerability from github – Published: 2026-03-25 03:31 – Updated: 2026-03-25 21:30This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access user-sensitive data.
{
"affected": [],
"aliases": [
"CVE-2026-20633"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T01:17:04Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access user-sensitive data.",
"id": "GHSA-9cv6-73mr-84fw",
"modified": "2026-03-25T21:30:28Z",
"published": "2026-03-25T03:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20633"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126794"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126795"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126796"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9CXR-86MW-8JW2
Vulnerability from github – Published: 2024-09-26 03:30 – Updated: 2025-05-13 03:31An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server via the web-print-hot-folder.
Important: In most installations, this risk is mitigated by the default Windows Server configuration, which restricts local login access to Administrators only. However, this vulnerability could pose a risk to customers who allow non-administrative users to log into the local console of the Windows environment hosting the PaperCut NG/MF application server.
Note:
This CVE has been split from CVE-2024-3037.
{
"affected": [],
"aliases": [
"CVE-2024-8404"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T02:15:02Z",
"severity": "HIGH"
},
"details": "An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server via the web-print-hot-folder. \n\nImportant: In most installations, this risk is mitigated by the default Windows Server configuration, which restricts local login access to Administrators only. However, this vulnerability could pose a risk to customers who allow non-administrative users to log into the local console of the Windows environment hosting the PaperCut NG/MF application server.\n\nNote: \n\nThis CVE has been split from CVE-2024-3037.",
"id": "GHSA-9cxr-86mw-8jw2",
"modified": "2025-05-13T03:31:13Z",
"published": "2024-09-26T03:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8404"
},
{
"type": "WEB",
"url": "https://www.papercut.com/kb/Main/Security-Bulletin-May-2024"
},
{
"type": "WEB",
"url": "https://www.papercut.com/kb/Main/Security-Bulletin-May-2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9F84-FG53-W8Q5
Vulnerability from github – Published: 2025-09-09 18:31 – Updated: 2025-09-09 18:31Improper link resolution before file access ('link following') in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-55317"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-09T17:16:07Z",
"severity": "HIGH"
},
"details": "Improper link resolution before file access (\u0027link following\u0027) in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-9f84-fg53-w8q5",
"modified": "2025-09-09T18:31:23Z",
"published": "2025-09-09T18:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55317"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55317"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9FX7-23QC-WWJV
Vulnerability from github – Published: 2022-03-19 00:00 – Updated: 2022-03-29 00:01An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, macOS Monterey 12.2, macOS Big Sur 11.6.3. An application may be able to access a user's files.
{
"affected": [],
"aliases": [
"CVE-2022-22585"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-18T18:15:00Z",
"severity": "HIGH"
},
"details": "An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, macOS Monterey 12.2, macOS Big Sur 11.6.3. An application may be able to access a user\u0027s files.",
"id": "GHSA-9fx7-23qc-wwjv",
"modified": "2022-03-29T00:01:35Z",
"published": "2022-03-19T00:00:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22585"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213053"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213054"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213055"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213057"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213059"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9G9M-P4QH-2GJ3
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2022-05-24 16:50A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to overwrite arbitrary files. The openvpn_launcher binary is setuid root. This binary supports the --log option, which accepts a path as an argument. This parameter is not sanitized, which allows a local unprivileged user to overwrite arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.
{
"affected": [],
"aliases": [
"CVE-2019-12573"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-11T20:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to overwrite arbitrary files. The openvpn_launcher binary is setuid root. This binary supports the --log option, which accepts a path as an argument. This parameter is not sanitized, which allows a local unprivileged user to overwrite arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.",
"id": "GHSA-9g9m-p4qh-2gj3",
"modified": "2022-05-24T16:50:06Z",
"published": "2022-05-24T16:50:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12573"
},
{
"type": "WEB",
"url": "https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12573.txt"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9GGW-H9MF-4JH7
Vulnerability from github – Published: 2023-10-25 18:32 – Updated: 2023-11-02 16:50Jenkins CloudBees CD Plugin temporarily copies files from an agent workspace to the controller in preparation for publishing them in the 'CloudBees CD - Publish Artifact' post-build step.
CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the temporary directory on the controller when collecting the list of files to publish.
This allows attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server.
CloudBees CD Plugin 1.1.33 ensures that only files located within the expected directory are published.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:electricflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.33"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46655"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-30T15:02:06Z",
"nvd_published_at": "2023-10-25T18:17:40Z",
"severity": "MODERATE"
},
"details": "Jenkins CloudBees CD Plugin temporarily copies files from an agent workspace to the controller in preparation for publishing them in the \u0027CloudBees CD - Publish Artifact\u0027 post-build step.\n\nCloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the temporary directory on the controller when collecting the list of files to publish.\n\nThis allows attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server.\n\nCloudBees CD Plugin 1.1.33 ensures that only files located within the expected directory are published.",
"id": "GHSA-9ggw-h9mf-4jh7",
"modified": "2023-11-02T16:50:54Z",
"published": "2023-10-25T18:32:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46655"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/electricflow-plugin/commit/e45ca8428ae45f45ca07611e802eaa0f1484ab50"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/electricflow-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3238"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/10/25/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins CloudBees CD Plugin vulnerable to arbitrary file read"
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.