CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1987 vulnerabilities reference this CWE, most recent first.
GHSA-9GH8-72QR-QFC7
Vulnerability from github – Published: 2024-05-02 15:30 – Updated: 2026-02-17 18:32An Improper Link Resolution Before File Access ('Link Following') vulnerability in Zscaler Client Connector on Mac allows a system file to be overwritten.This issue affects Zscaler Client Connector on Mac : before 3.7.
{
"affected": [],
"aliases": [
"CVE-2024-23459"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-02T13:23:06Z",
"severity": "HIGH"
},
"details": "An Improper Link Resolution Before File Access (\u0027Link Following\u0027) vulnerability in Zscaler Client Connector on Mac allows a system file to be overwritten.This issue affects Zscaler Client Connector on Mac : before 3.7.",
"id": "GHSA-9gh8-72qr-qfc7",
"modified": "2026-02-17T18:32:54Z",
"published": "2024-05-02T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23459"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022?applicable_category=macos\u0026applicable_version=3.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9GJC-H498-FF34
Vulnerability from github – Published: 2024-01-23 21:30 – Updated: 2025-06-20 21:31An updater link following vulnerability in the Trend Micro Apex One agent could allow a local attacker to abuse the updater to delete an arbitrary folder, leading for a local privilege escalation on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-52094"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-23T21:15:09Z",
"severity": "HIGH"
},
"details": "An updater link following vulnerability in the Trend Micro Apex One agent could allow a local attacker to abuse the updater to delete an arbitrary folder, leading for a local privilege escalation on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-9gjc-h498-ff34",
"modified": "2025-06-20T21:31:50Z",
"published": "2024-01-23T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52094"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/dcx/s/solution/000296151?language=en_US"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9GQX-HPG2-MPPR
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2023-01-09 18:30An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. A local attacker may be able to elevate their privileges.
{
"affected": [],
"aliases": [
"CVE-2020-9901"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-22T19:15:00Z",
"severity": "HIGH"
},
"details": "An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. A local attacker may be able to elevate their privileges.",
"id": "GHSA-9gqx-hpg2-mppr",
"modified": "2023-01-09T18:30:25Z",
"published": "2022-05-24T17:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9901"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211288"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211289"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211290"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9HG3-M3P7-MJM6
Vulnerability from github – Published: 2026-07-14 03:31 – Updated: 2026-07-14 03:31A vulnerability was detected in mosaxiv clawlet up to 0.2.10. This impacts the function read_file/write_file/edit_file of the file tools/fs_ops.go of the component File Tools. Performing a manipulation results in link following. The attack needs to be approached locally. The reported GitHub issue was closed with the label "not planned".
{
"affected": [],
"aliases": [
"CVE-2026-15621"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T01:16:17Z",
"severity": "MODERATE"
},
"details": "A vulnerability was detected in mosaxiv clawlet up to 0.2.10. This impacts the function read_file/write_file/edit_file of the file tools/fs_ops.go of the component File Tools. Performing a manipulation results in link following. The attack needs to be approached locally. The reported GitHub issue was closed with the label \"not planned\".",
"id": "GHSA-9hg3-m3p7-mjm6",
"modified": "2026-07-14T03:31:34Z",
"published": "2026-07-14T03:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15621"
},
{
"type": "WEB",
"url": "https://github.com/mosaxiv/clawlet/issues/15"
},
{
"type": "WEB",
"url": "https://github.com/mosaxiv/clawlet"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-15621"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/855796"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/378124"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/378124/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9HH6-P5C5-MMMF
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-06-07 00:00An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)
{
"affected": [],
"aliases": [
"CVE-2021-28153"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-11T22:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)",
"id": "GHSA-9hh6-p5c5-mmmf",
"modified": "2022-06-07T00:00:35Z",
"published": "2022-05-24T17:44:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28153"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/glib/-/issues/2325"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00006.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6RXTD5HCP2K4AAUSWWZTBKQNHRCTAEOF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUTQPHZNZWX2DZR46QFLQZRHVMHIILJ"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-13"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210416-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9HH8-9M39-758P
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a non-protected location with high privileges (symlink attack) which can lead to obtaining administrative privileges during the installation of the product.
{
"affected": [],
"aliases": [
"CVE-2020-27697"
],
"database_specific": {
"cwe_ids": [
"CWE-426",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-18T19:15:00Z",
"severity": "HIGH"
},
"details": "Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a non-protected location with high privileges (symlink attack) which can lead to obtaining administrative privileges during the installation of the product.",
"id": "GHSA-9hh8-9m39-758p",
"modified": "2022-05-24T17:34:31Z",
"published": "2022-05-24T17:34:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27697"
},
{
"type": "WEB",
"url": "https://helpcenter.trendmicro.com/en-us/article/TMKA-10036"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9HJG-77W4-4H5J
Vulnerability from github – Published: 2025-04-16 21:30 – Updated: 2025-04-16 21:30A Improper Link Resolution vulnerability (CWE-59) in the SonicWall Connect Tunnel Windows (32 and 64 bit) client, this results in unauthorized file overwrite, potentially leading to denial of service or file corruption.
{
"affected": [],
"aliases": [
"CVE-2025-32817"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-16T20:15:19Z",
"severity": "HIGH"
},
"details": "A Improper Link Resolution vulnerability (CWE-59) in the SonicWall Connect Tunnel Windows (32 and 64 bit) client, this results in unauthorized file overwrite, potentially leading to denial of service or file corruption.",
"id": "GHSA-9hjg-77w4-4h5j",
"modified": "2025-04-16T21:30:57Z",
"published": "2025-04-16T21:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32817"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9HX9-W2J6-RW76
Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2025-04-13 23:26The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "show_in_browser"
},
"versions": [
"0.0.3"
]
}
],
"aliases": [
"CVE-2013-2105"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:28:50Z",
"nvd_published_at": "2014-04-22T14:23:33Z",
"severity": "MODERATE"
},
"details": "The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on `/tmp/browser.html`.",
"id": "GHSA-9hx9-w2j6-rw76",
"modified": "2025-04-13T23:26:43Z",
"published": "2017-10-24T18:33:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2105"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/84378"
},
{
"type": "PACKAGE",
"url": "https://github.com/jonleung/show_in_browser"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/show_in_browser/CVE-2013-2105.yml"
},
{
"type": "WEB",
"url": "http://vapid.dhs.org/advisories/show_in_browser.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/05/18/4"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Script Injection in Show In Browser gem"
}
GHSA-9JPQ-JCJR-F4M4
Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33Windows Common Log File System Driver Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-43501"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-08T18:15:11Z",
"severity": "HIGH"
},
"details": "Windows Common Log File System Driver Elevation of Privilege Vulnerability",
"id": "GHSA-9jpq-jcjr-f4m4",
"modified": "2024-10-08T18:33:15Z",
"published": "2024-10-08T18:33:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43501"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43501"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9JPV-XJWW-74VR
Vulnerability from github – Published: 2024-12-31 18:30 – Updated: 2024-12-31 18:30A LogServer arbitrary file creation vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-52050"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-31T16:15:26Z",
"severity": "HIGH"
},
"details": "A LogServer arbitrary file creation vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-9jpv-xjww-74vr",
"modified": "2024-12-31T18:30:51Z",
"published": "2024-12-31T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52050"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/en-US/solution/KA-0018217"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.