CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1988 vulnerabilities reference this CWE, most recent first.
GHSA-CFCW-8FF3-9XW4
Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka "Windows Data Sharing Service Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers. This CVE ID is unique from CVE-2019-0571, CVE-2019-0572, CVE-2019-0573.
{
"affected": [],
"aliases": [
"CVE-2019-0574"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-08T21:29:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka \"Windows Data Sharing Service Elevation of Privilege Vulnerability.\" This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers. This CVE ID is unique from CVE-2019-0571, CVE-2019-0572, CVE-2019-0573.",
"id": "GHSA-cfcw-8ff3-9xw4",
"modified": "2022-05-13T01:21:18Z",
"published": "2022-05-13T01:21:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0574"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0574"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46160"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106431"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CFGC-FGG8-P3QF
Vulnerability from github – Published: 2022-10-26 12:00 – Updated: 2022-10-28 19:00A Improper Link Resolution Before File Access ('Link Following') vulnerability in a script called by the sendmail systemd service of openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: SUSE openSUSE Factory sendmail versions prior to 8.17.1-1.1.
{
"affected": [],
"aliases": [
"CVE-2022-31256"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-26T09:15:00Z",
"severity": "HIGH"
},
"details": "A Improper Link Resolution Before File Access (\u0027Link Following\u0027) vulnerability in a script called by the sendmail systemd service of openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: SUSE openSUSE Factory sendmail versions prior to 8.17.1-1.1.",
"id": "GHSA-cfgc-fgg8-p3qf",
"modified": "2022-10-28T19:00:32Z",
"published": "2022-10-26T12:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31256"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1204696"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CFP6-PP5W-4V4G
Vulnerability from github – Published: 2025-07-08 09:31 – Updated: 2025-07-08 09:31A low privileged remote attacker with file access can replace a critical file or folder used by the service security-profile to get read, write and execute access to any file on the device.
{
"affected": [],
"aliases": [
"CVE-2025-41668"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T07:15:25Z",
"severity": "HIGH"
},
"details": "A low privileged remote attacker with file access can replace a critical file or folder used by the service security-profile to get read, write and execute access to any file on the device.",
"id": "GHSA-cfp6-pp5w-4v4g",
"modified": "2025-07-08T09:31:29Z",
"published": "2025-07-08T09:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41668"
},
{
"type": "WEB",
"url": "https://certvde.com/en/advisories/VDE-2025-054"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CFVJ-7RX7-FC7C
Vulnerability from github – Published: 2026-03-03 21:18 – Updated: 2026-03-19 21:22Summary
stageSandboxMedia allowed destination symlink traversal during media staging, which could overwrite files outside the sandbox workspace root.
Impact
When sandbox media staging handled inbound files, destination writes under media/inbound were not destination-alias-safe. If a symlink existed in that destination path, the write could follow it and overwrite host files outside the intended sandbox workspace boundary.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published version checked:
2026.3.1 - Affected:
<= 2026.3.1 - Patched versions:
>= 2026.3.2(released)
Root Cause
stageSandboxMedia validated source paths but wrote destination files with a direct copy path that did not enforce destination boundary/alias checks.
Remediation
The fix routes staging writes through root-scoped safe write primitives for both local and SCP-staged attachments, preventing destination symlink traversal escapes.
Fix Commit(s)
17ede52a4be3034f6ec4b883ac6b81ad0101558a
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.1"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31990"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:18:28Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n`stageSandboxMedia` allowed destination symlink traversal during media staging, which could overwrite files outside the sandbox workspace root.\n\n### Impact\nWhen sandbox media staging handled inbound files, destination writes under `media/inbound` were not destination-alias-safe. If a symlink existed in that destination path, the write could follow it and overwrite host files outside the intended sandbox workspace boundary.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published version checked: `2026.3.1`\n- Affected: `\u003c= 2026.3.1`\n- Patched versions: `\u003e= 2026.3.2` (released)\n\n### Root Cause\n`stageSandboxMedia` validated source paths but wrote destination files with a direct copy path that did not enforce destination boundary/alias checks.\n\n### Remediation\nThe fix routes staging writes through root-scoped safe write primitives for both local and SCP-staged attachments, preventing destination symlink traversal escapes.\n\n### Fix Commit(s)\n- `17ede52a4be3034f6ec4b883ac6b81ad0101558a`",
"id": "GHSA-cfvj-7rx7-fc7c",
"modified": "2026-03-19T21:22:14Z",
"published": "2026-03-03T21:18:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cfvj-7rx7-fc7c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31990"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/17ede52a4be3034f6ec4b883ac6b81ad0101558a"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-stagesandboxmedia-destination"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace"
}
GHSA-CGHW-HVR5-W2M2
Vulnerability from github – Published: 2023-01-12 15:30 – Updated: 2023-01-20 09:30A symlink following vulnerability was found in Samba, where a user can create a symbolic link that will make 'smbd' escape the configured share path. This flaw allows a remote user with access to the exported part of the file system under a share via SMB1 unix extensions or NFS to create symlinks to files outside the 'smbd' configured share path and gain access to another restricted server's filesystem.
{
"affected": [],
"aliases": [
"CVE-2022-3592"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-12T15:15:00Z",
"severity": "MODERATE"
},
"details": "A symlink following vulnerability was found in Samba, where a user can create a symbolic link that will make \u0027smbd\u0027 escape the configured share path. This flaw allows a remote user with access to the exported part of the file system under a share via SMB1 unix extensions or NFS to create symlinks to files outside the \u0027smbd\u0027 configured share path and gain access to another restricted server\u0027s filesystem.",
"id": "GHSA-cghw-hvr5-w2m2",
"modified": "2023-01-20T09:30:30Z",
"published": "2023-01-12T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3592"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-3592"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137776"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202309-06"
},
{
"type": "WEB",
"url": "https://www.samba.org/samba/security/CVE-2022-3592.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CHCH-V8XX-WCP7
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 02:00A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker with physical access to an affected device to execute arbitrary code on the underlying operating system (OS) with root privileges. The vulnerability is due to insufficient file location validation. An attacker could exploit this vulnerability by placing code in a specific format on a USB device and inserting it into an affected Cisco device. A successful exploit could allow the attacker to execute the code with root privileges on the underlying OS of the affected device.
{
"affected": [],
"aliases": [
"CVE-2019-12672"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-25T21:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker with physical access to an affected device to execute arbitrary code on the underlying operating system (OS) with root privileges. The vulnerability is due to insufficient file location validation. An attacker could exploit this vulnerability by placing code in a specific format on a USB device and inserting it into an affected Cisco device. A successful exploit could allow the attacker to execute the code with root privileges on the underlying OS of the affected device.",
"id": "GHSA-chch-v8xx-wcp7",
"modified": "2024-04-04T02:00:07Z",
"published": "2022-05-24T16:56:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12672"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iosxe-codeexec"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CJC3-7R36-PP49
Vulnerability from github – Published: 2024-09-19 09:36 – Updated: 2024-11-12 18:30A vulnerability was found in Performance Co-Pilot (PCP). This flaw can only be exploited if an attacker has access to a compromised PCP system account. The issue is related to the pmpost tool, which is used to log messages in the system. Under certain conditions, it runs with high-level privileges.
{
"affected": [],
"aliases": [
"CVE-2024-45770"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-19T09:15:02Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Performance Co-Pilot (PCP). This flaw can only be exploited if an attacker has access to a compromised PCP system account. The issue is related to the pmpost tool, which is used to log messages in the system. Under certain conditions, it runs with high-level privileges.",
"id": "GHSA-cjc3-7r36-pp49",
"modified": "2024-11-12T18:30:51Z",
"published": "2024-09-19T09:36:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45770"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6837"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6840"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6842"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6843"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6844"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6846"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6847"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6848"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:9452"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-45770"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310451"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CJP2-4RWW-387P
Vulnerability from github – Published: 2022-05-14 02:56 – Updated: 2022-05-14 02:56crontab.c in crontab in FreeBSD and Apple Mac OS X allows local users to (1) determine the existence of arbitrary files via a symlink attack on a /tmp/crontab.XXXXXXXXXX temporary file and (2) perform MD5 checksum comparisons on arbitrary pairs of files via two symlink attacks on /tmp/crontab.XXXXXXXXXX temporary files.
{
"affected": [],
"aliases": [
"CVE-2011-1073"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-03-04T23:00:00Z",
"severity": "LOW"
},
"details": "crontab.c in crontab in FreeBSD and Apple Mac OS X allows local users to (1) determine the existence of arbitrary files via a symlink attack on a /tmp/crontab.XXXXXXXXXX temporary file and (2) perform MD5 checksum comparisons on arbitrary pairs of files via two symlink attacks on /tmp/crontab.XXXXXXXXXX temporary files.",
"id": "GHSA-cjp2-4rww-387p",
"modified": "2022-05-14T02:56:13Z",
"published": "2022-05-14T02:56:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1073"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65899"
},
{
"type": "WEB",
"url": "http://marc.info/?l=full-disclosure\u0026m=129891323028897\u0026w=2"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/02/28/14"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/02/28/6"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/8117"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/516716/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/46604"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CM4X-R333-VVV9
Vulnerability from github – Published: 2023-01-10 21:30 – Updated: 2025-05-30 18:30A link-manipulation issue was discovered in Mega HOPEX 15.2.0.6110 before V5CP4.
{
"affected": [],
"aliases": [
"CVE-2022-38482"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-10T21:15:00Z",
"severity": "MODERATE"
},
"details": "A link-manipulation issue was discovered in Mega HOPEX 15.2.0.6110 before V5CP4.",
"id": "GHSA-cm4x-r333-vvv9",
"modified": "2025-05-30T18:30:45Z",
"published": "2023-01-10T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38482"
},
{
"type": "WEB",
"url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2022-38482"
},
{
"type": "WEB",
"url": "https://excellium-services.com/cert-xlm-advisory/CVE-2022-38482"
},
{
"type": "WEB",
"url": "https://www.mega.com/en/hopex-platform"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CMGP-37PH-2PH7
Vulnerability from github – Published: 2022-05-01 18:44 – Updated: 2022-05-01 18:44ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files used by the cli_gentempfd function in libclamav/others.c or on (2) .ascii files used by sigtool, when utf16-decode is enabled.
{
"affected": [],
"aliases": [
"CVE-2007-6595"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-12-31T19:46:00Z",
"severity": "LOW"
},
"details": "ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files used by the cli_gentempfd function in libclamav/others.c or on (2) .ascii files used by sigtool, when utf16-decode is enabled.",
"id": "GHSA-cmgp-37ph-2ph7",
"modified": "2022-05-01T18:44:33Z",
"published": "2022-05-01T18:44:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6595"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39335"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39339"
},
{
"type": "WEB",
"url": "http://kolab.org/security/kolab-vendor-notice-19.txt"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00009.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/28949"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/29891"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/31437"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200808-07.xml"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/3501"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1019148"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2008/dsa-1497"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:088"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/485631/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/27064"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/0606"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.