CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1987 vulnerabilities reference this CWE, most recent first.
GHSA-C3C7-HP6G-R6V8
Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18find_flags in Kitware GCC-XML (gccxml) 0.9.0 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/*.cxx temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-4957"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-05T15:00:00Z",
"severity": "MODERATE"
},
"details": "find_flags in Kitware GCC-XML (gccxml) 0.9.0 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/*.cxx temporary file.",
"id": "GHSA-c3c7-hp6g-r6v8",
"modified": "2022-05-17T02:18:32Z",
"published": "2022-05-17T02:18:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4957"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46408"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496391"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/gccxml"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-C3WC-3FRP-JHMQ
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.
{
"affected": [],
"aliases": [
"CVE-2026-49180"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T17:16:53Z",
"severity": "MODERATE"
},
"details": "Improper link resolution before file access (\u0027link following\u0027) in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.",
"id": "GHSA-c3wc-3frp-jhmq",
"modified": "2026-07-14T18:32:00Z",
"published": "2026-07-14T18:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49180"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49180"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C3WQ-J5VH-68RC
Vulnerability from github – Published: 2026-06-19 17:45 – Updated: 2026-06-19 17:45Affected versions: v0.123.0 through v0.163.0. Earlier versions are not affected.
Fixed in: v0.163.1.
Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory — for example, inside a locally-vendored theme under themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups via resources.Get followed symlinks.
Description. Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused RootMappingFs.statRoot to call Stat (which follows symlinks) instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gohugoio/hugo"
},
"ranges": [
{
"events": [
{
"introduced": "0.123.0"
},
{
"fixed": "0.163.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T17:45:38Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "**Affected versions:** v0.123.0 through v0.163.0. Earlier versions are not affected.\n**Fixed in:** v0.163.1.\n**Severity:** Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory \u2014 for example, inside a locally-vendored theme under `themes/`. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups via `resources.Get` followed symlinks.\n\n**Description.** Hugo\u0027s virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused `RootMappingFs.statRoot` to call `Stat` (which follows symlinks) instead of `Lstat`, so a direct `os.ReadFile \"somefile\"` where `somefile` was a symlink pointing outside the mount would return the target\u0027s contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running `hugo`.",
"id": "GHSA-c3wq-j5vh-68rc",
"modified": "2026-06-19T17:45:38Z",
"published": "2026-06-19T17:45:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c3wq-j5vh-68rc"
},
{
"type": "PACKAGE",
"url": "https://github.com/gohugoio/hugo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Hugo: Symlink confinement bypass in os.ReadFile"
}
GHSA-C3WR-WRC5-MQG4
Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18scilab-bin 4.1.2 allows local users to overwrite arbitrary files via a symlink attack on (a) /tmp/SciLink#####1, (b) /tmp/SciLink#####2, (c) /tmp/SciLink#####3, (d) /tmp/.#####, (e) /tmp/.#####.res, (f) /tmp/.#####.err, and (g) /tmp/.#####.diff temporary files, related to the (1) scilink, (2) scidoc, and (3) scidem scripts.
{
"affected": [],
"aliases": [
"CVE-2008-4983"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-06T15:55:00Z",
"severity": "MODERATE"
},
"details": "scilab-bin 4.1.2 allows local users to overwrite arbitrary files via a symlink attack on (a) /tmp/SciLink#####1, (b) /tmp/SciLink#####2, (c) /tmp/SciLink#####3, (d) /tmp/*.#####, (e) /tmp/*.#####.res, (f) /tmp/*.#####.err, and (g) /tmp/*.#####.diff temporary files, related to the (1) scilink, (2) scidoc, and (3) scidem scripts.",
"id": "GHSA-c3wr-wrc5-mqg4",
"modified": "2022-05-17T02:18:27Z",
"published": "2022-05-17T02:18:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4983"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44883"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496414"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/scilab-bin"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/33630"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200901-14.xml"
},
{
"type": "WEB",
"url": "http://uvw.ru/report.lenny.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30968"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-C48C-24J9-J745
Vulnerability from github – Published: 2024-02-29 21:30 – Updated: 2024-02-29 21:30Improper Link Resolution Before File Access ('Link Following') vulnerability in HYPR Workforce Access on MacOS allows File Manipulation.This issue affects Workforce Access: before 8.7.1.
{
"affected": [],
"aliases": [
"CVE-2024-0068"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T20:15:41Z",
"severity": "MODERATE"
},
"details": "Improper Link Resolution Before File Access (\u0027Link Following\u0027) vulnerability in HYPR Workforce Access on MacOS allows File Manipulation.This issue affects Workforce Access: before 8.7.1.\n\n",
"id": "GHSA-c48c-24j9-j745",
"modified": "2024-02-29T21:30:51Z",
"published": "2024-02-29T21:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0068"
},
{
"type": "WEB",
"url": "https://www.hypr.com/trust-center/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-C4CC-F3XF-QQPW
Vulnerability from github – Published: 2022-05-14 03:18 – Updated: 2022-05-14 03:18In Cylance CylancePROTECT before 1470, an unprivileged local user can obtain SYSTEM privileges because users have Modify access to the %PROGRAMFILES%\Cylance\Desktop\log folder, the CyUpdate process grants users Modify access to new files created in this folder, and a new file can be a symlink chain to a pathname of an arbitrary DLL that CyUpdate uses.
{
"affected": [],
"aliases": [
"CVE-2018-10722"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-04T00:29:00Z",
"severity": "HIGH"
},
"details": "In Cylance CylancePROTECT before 1470, an unprivileged local user can obtain SYSTEM privileges because users have Modify access to the %PROGRAMFILES%\\Cylance\\Desktop\\log folder, the CyUpdate process grants users Modify access to new files created in this folder, and a new file can be a symlink chain to a pathname of an arbitrary DLL that CyUpdate uses.",
"id": "GHSA-c4cc-f3xf-qqpw",
"modified": "2022-05-14T03:18:34Z",
"published": "2022-05-14T03:18:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10722"
},
{
"type": "WEB",
"url": "https://www.atredis.com/blog/cylance-privilege-escalation-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C5FP-QRW2-8X2W
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-07-30 00:00A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with guix build, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable.
{
"affected": [],
"aliases": [
"CVE-2021-27851"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-26T16:15:00Z",
"severity": "MODERATE"
},
"details": "A security vulnerability that can lead to local privilege escalation has been found in \u2019guix-daemon\u2019. It affects multi-user setups in which \u2019guix-daemon\u2019 runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable.",
"id": "GHSA-c5fp-qrw2-8x2w",
"modified": "2022-07-30T00:00:35Z",
"published": "2022-05-24T22:28:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27851"
},
{
"type": "WEB",
"url": "https://bugs.gnu.org/47229"
},
{
"type": "WEB",
"url": "https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C76R-G8Q5-M4CV
Vulnerability from github – Published: 2024-04-09 18:30 – Updated: 2024-04-09 18:30Microsoft Brokering File System Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-28907"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T17:15:49Z",
"severity": "HIGH"
},
"details": "Microsoft Brokering File System Elevation of Privilege Vulnerability",
"id": "GHSA-c76r-g8q5-m4cv",
"modified": "2024-04-09T18:30:26Z",
"published": "2024-04-09T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28907"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28907"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C792-8WX7-J3V9
Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2025-05-20 18:30An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks, aka 'Windows User Profile Service Elevation of Privilege Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2019-0986"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-12T14:29:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks, aka \u0027Windows User Profile Service Elevation of Privilege Vulnerability\u0027.",
"id": "GHSA-c792-8wx7-j3v9",
"modified": "2025-05-20T18:30:36Z",
"published": "2022-05-24T16:47:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0986"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0986"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0986"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C7FC-4FVH-989J
Vulnerability from github – Published: 2022-05-17 04:52 – Updated: 2022-05-17 04:52fuse 2.8.5 and earlier does not properly handle when /etc/mtab cannot be updated, which allows local users to unmount arbitrary directories via a symlink attack.
{
"affected": [],
"aliases": [
"CVE-2011-0541"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-09-02T23:55:00Z",
"severity": "LOW"
},
"details": "fuse 2.8.5 and earlier does not properly handle when /etc/mtab cannot be updated, which allows local users to unmount arbitrary directories via a symlink attack.",
"id": "GHSA-c7fc-4fvh-989j",
"modified": "2022-05-17T04:52:58Z",
"published": "2022-05-17T04:52:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-0541"
},
{
"type": "WEB",
"url": "http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse%3Ba=commit%3Bh=bf5ffb5fd8558bd799791834def431c0cee5a11f"
},
{
"type": "WEB",
"url": "http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=bf5ffb5fd8558bd799791834def431c0cee5a11f"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/02/02/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/02/03/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/02/08/4"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.