CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1990 vulnerabilities reference this CWE, most recent first.
GHSA-F762-5MRW-32X8
Vulnerability from github – Published: 2026-05-26 18:31 – Updated: 2026-05-26 21:31FastNetMon Community Edition through 1.2.9 is vulnerable to a local symlink attack via predictable file paths in /tmp. The statistics file path defaults to '/tmp/fastnetmon.dat' (src/fastnetmon.cpp line 159). The print_screen_contents_into_file() function (src/fastnetmon_logic.cpp line 2186) opens this path with std::ios::trunc without checking for symlinks or using O_NOFOLLOW. Additionally, the chmod() call on line 2190 always operates on cli_stats_file_path regardless of which file_path parameter was passed (a bug that applies wrong permissions), and the umask is set to 0 during daemonization (src/fastnetmon.cpp line 1821), making all created files world-writable. A local attacker can exploit this to overwrite arbitrary files as the FastNetMon process user (typically root).
{
"affected": [],
"aliases": [
"CVE-2026-48693"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T17:16:53Z",
"severity": "MODERATE"
},
"details": "FastNetMon Community Edition through 1.2.9 is vulnerable to a local symlink attack via predictable file paths in /tmp. The statistics file path defaults to \u0027/tmp/fastnetmon.dat\u0027 (src/fastnetmon.cpp line 159). The print_screen_contents_into_file() function (src/fastnetmon_logic.cpp line 2186) opens this path with std::ios::trunc without checking for symlinks or using O_NOFOLLOW. Additionally, the chmod() call on line 2190 always operates on cli_stats_file_path regardless of which file_path parameter was passed (a bug that applies wrong permissions), and the umask is set to 0 during daemonization (src/fastnetmon.cpp line 1821), making all created files world-writable. A local attacker can exploit this to overwrite arbitrary files as the FastNetMon process user (typically root).",
"id": "GHSA-f762-5mrw-32x8",
"modified": "2026-05-26T21:31:57Z",
"published": "2026-05-26T18:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48693"
},
{
"type": "WEB",
"url": "https://github.com/pavel-odintsov/fastnetmon"
},
{
"type": "WEB",
"url": "https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fastnetmon.cpp"
},
{
"type": "WEB",
"url": "https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fastnetmon_logic.cpp"
},
{
"type": "WEB",
"url": "https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48693-symlink-tmp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F7H3-WHMX-5PQJ
Vulnerability from github – Published: 2022-06-16 00:00 – Updated: 2022-06-25 00:00Vulnerabilities in the Drive Composer allow a low privileged attacker to create and write to a file anywhere on the file system as SYSTEM with arbitrary content as long as the file does not already exist. The Drive Composer installer file allows a low-privileged user to run a "repair" operation on the product.
{
"affected": [],
"aliases": [
"CVE-2022-31218"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-15T19:15:00Z",
"severity": "HIGH"
},
"details": "Vulnerabilities in the Drive Composer allow a low privileged attacker to create and write to a file anywhere on the file system as SYSTEM with arbitrary content as long as the file does not already exist. The Drive Composer installer file allows a low-privileged user to run a \"repair\" operation on the product.",
"id": "GHSA-f7h3-whmx-5pqj",
"modified": "2022-06-25T00:00:51Z",
"published": "2022-06-16T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31218"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0305\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\u0026_ga=2.38192870.478847987.1655218701-372504397.1647012599"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F7P3-FCMR-GW5F
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2025-11-04 21:30This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.6, tvOS 17, macOS Monterey 12.7, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. An app may be able to read arbitrary files.
{
"affected": [],
"aliases": [
"CVE-2023-41968"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:31Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.6, tvOS 17, macOS Monterey 12.7, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. An app may be able to read arbitrary files.",
"id": "GHSA-f7p3-fcmr-gw5f",
"modified": "2025-11-04T21:30:43Z",
"published": "2023-09-27T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41968"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213931"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213932"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213936"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213937"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213938"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213940"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213931"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213932"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213937"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213938"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213940"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Oct/10"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Oct/3"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Oct/5"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Oct/6"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Oct/8"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Oct/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F7WW-2725-QVW2
Vulnerability from github – Published: 2026-03-02 23:35 – Updated: 2026-03-18 21:53Summary
For host=node executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in cwd while preserving the visible cwd string.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
<= 2026.2.25 - Fixed:
>= 2026.2.26(planned next npm release)
Impact
A command approved for one filesystem location could execute from a different location if a mutable parent symlink changed between approval and execution.
Fix
- Added immutable approval-time plan preparation (
system.run.prepare) andsystemRunPlanV2canonical fields (argv,cwd,agentId,sessionKey). - Enforced canonical plan values through approval request storage and forwarding-time sanitization.
- Rejected mutable parent-symlink path components during approval-plan building to block symlink rebind bypass.
- Follow-up refactors centralized command catalogs and approval context/error handling to reduce future drift.
Fix Commit(s)
78a7ff2d50fb3bcef351571cb5a0f21430a340c1d82c042b09727a6148f3ca651b254c4a677aff26d06632ba45a8482192792c55d5ff0b2e21abb0a74e690e09c746408b5e27617a20cb3fdc5190dbda4b4718c8dfce2e2c48404aa5088af7c013bed60b
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.26). Once npm openclaw@2026.2.26 is published, publish this advisory directly without further version-field edits.
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.25"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27545"
],
"database_specific": {
"cwe_ids": [
"CWE-367",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T23:35:56Z",
"nvd_published_at": "2026-03-18T02:16:23Z",
"severity": "HIGH"
},
"details": "## Summary\nFor `host=node` executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in `cwd` while preserving the visible `cwd` string.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `\u003c= 2026.2.25`\n- Fixed: `\u003e= 2026.2.26` (planned next npm release)\n\n## Impact\nA command approved for one filesystem location could execute from a different location if a mutable parent symlink changed between approval and execution.\n\n## Fix\n- Added immutable approval-time plan preparation (`system.run.prepare`) and `systemRunPlanV2` canonical fields (`argv`, `cwd`, `agentId`, `sessionKey`).\n- Enforced canonical plan values through approval request storage and forwarding-time sanitization.\n- Rejected mutable parent-symlink path components during approval-plan building to block symlink rebind bypass.\n- Follow-up refactors centralized command catalogs and approval context/error handling to reduce future drift.\n\n## Fix Commit(s)\n- `78a7ff2d50fb3bcef351571cb5a0f21430a340c1`\n- `d82c042b09727a6148f3ca651b254c4a677aff26`\n- `d06632ba45a8482192792c55d5ff0b2e21abb0a7`\n- `4e690e09c746408b5e27617a20cb3fdc5190dbda`\n- `4b4718c8dfce2e2c48404aa5088af7c013bed60b`\n\n## Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.26`). Once npm `openclaw@2026.2.26` is published, publish this advisory directly without further version-field edits.\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-f7ww-2725-qvw2",
"modified": "2026-03-18T21:53:47Z",
"published": "2026-03-02T23:35:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f7ww-2725-qvw2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27545"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/4b4718c8dfce2e2c48404aa5088af7c013bed60b"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/4e690e09c746408b5e27617a20cb3fdc5190dbda"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/78a7ff2d50fb3bcef351571cb5a0f21430a340c1"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/d06632ba45a8482192792c55d5ff0b2e21abb0a7"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/d82c042b09727a6148f3ca651b254c4a677aff26"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-parent-symlink-current-working-directory-rebind"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind"
}
GHSA-F87G-RQHG-RQ8R
Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2024-08-01 15:31Windows Setup Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-43237"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T15:15:00Z",
"severity": "HIGH"
},
"details": "Windows Setup Elevation of Privilege Vulnerability",
"id": "GHSA-f87g-rqhg-rq8r",
"modified": "2024-08-01T15:31:16Z",
"published": "2021-12-16T00:01:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43237"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43237"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-018"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F89C-WHFR-778H
Vulnerability from github – Published: 2022-04-30 18:19 – Updated: 2024-02-21 21:30NTFS file system in Windows NT 4.0 and Windows 2000 SP2 allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file.
{
"affected": [],
"aliases": [
"CVE-2002-0725"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2002-09-05T04:00:00Z",
"severity": "MODERATE"
},
"details": "NTFS file system in Windows NT 4.0 and Windows 2000 SP2 allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file.",
"id": "GHSA-f89c-whfr-778h",
"modified": "2024-02-21T21:30:21Z",
"published": "2022-04-30T18:19:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0725"
},
{
"type": "WEB",
"url": "http://www.atstake.com/research/advisories/2000/a081602-1.txt"
},
{
"type": "WEB",
"url": "http://www.iss.net/security_center/static/9869.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/5484"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F89H-2FJH-2R9Q
Vulnerability from github – Published: 2026-05-07 00:01 – Updated: 2026-05-14 20:43Summary
A malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to.
Details
During checkout, all symlink index entries are deferred and created after regular files using a single shared gix_worktree::Stack. Internally, this uses a gix_fs::Stack.
gix_fs::Stack::make_relative_path_current() caches validated path prefixes: when the previously-processed leaf component exactly matches the leading component(s) of the next path, the leaf-to-directory transition at gix-fs/src/stack.rs:195-197 invokes only delegate.push_directory(), never delegate.push().
In gix_worktree::stack::delegate::StackDelegate, when the state member is State::CreateDirectoryAndAttributesStack, Attributes::push_directory() only loads attributes (from the ODB, in the clone case), and does not perform any other checks. The on-disk symlink_metadata() check and unlink-on-collision live in StackDelegate::push()'s invocation of create_leading_directory(), which is therefore bypassed for the cached prefix. The final symlink is created with plain std::os::unix::fs::symlink, which follows symlinks in parent directories.
Therefore, it's possible to provide a tree with duplicate symlink and directory entries that exploits this. If a tree is constructed with:
- A
120000(symlink) entryathat points to.git/hooks. - A
040000(directory) entryawith a subtree that contains a symlink frompost-checkoutto../../payload. - A
100755(executable file) entrypayload.
This is converted by gix_index::State::from_tree() into index entries ["a" (SYMLINK), "a/post-checkout" (SYMLINK)].
Then, during the delayed symlink phase:
ais created as a symlink to e.g..git/hooks.- When processing
a/post-checkout, theaprefix is reused from the just-processed leaf entry without re-running the intermediate-directory check, after which… symlink(target, "<wt>/a/post-checkout")resolves through the just-created symlink to write.git/hooks/post-checkout.
Although this example uses .git/hooks for simplicity, there's no actual requirement to write within the repo checkout. This can be fairly easily chained into code execution by writing to something that is known to be executed — for example, by writing to .git/hooks/post-checkout if the attacker knows that a hook-aware Git implementation will be used later, or by writing to something like ~/.local/bin.
PoC
Attached is build-bad-repo.sh, which builds a repo with the aforementioned tree structure. Cloning it with gix will set up the malicious .git/hooks/post-checkout, at which point anything that normally invokes the post-checkout hook will result in its execution, such as git checkout -b new-branch.
Impact
Arbitrary symlink creation into any existing directory the user can write to.
Disclosure
This vulnerability was found by AI (specifically, Claude Mythos) as part of Project Glasswing. This advisory was written and verified by a human.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.21.0"
},
"package": {
"ecosystem": "crates.io",
"name": "gix-fs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.21.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44471"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T00:01:28Z",
"nvd_published_at": "2026-05-13T22:16:46Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to.\n\n### Details\n\nDuring checkout, all symlink index entries are deferred and created after regular files using a single shared `gix_worktree::Stack`. Internally, this uses a `gix_fs::Stack`.\n\n`gix_fs::Stack::make_relative_path_current()` caches validated path prefixes: when the previously-processed leaf component exactly matches the leading component(s) of the next path, the leaf-to-directory transition at `gix-fs/src/stack.rs:195-197` invokes only `delegate.push_directory()`, never `delegate.push()`.\n\nIn `gix_worktree::stack::delegate::StackDelegate`, when the state member is `State::CreateDirectoryAndAttributesStack`, `Attributes::push_directory()` only loads attributes (from the ODB, in the clone case), and does not perform any other checks. The on-disk `symlink_metadata()` check and unlink-on-collision live in `StackDelegate::push()`\u0027s invocation of `create_leading_directory()`, which is therefore bypassed for the cached prefix. The final symlink is created with plain `std::os::unix::fs::symlink`, which follows symlinks in parent directories.\n\nTherefore, it\u0027s possible to provide a tree with duplicate symlink and directory entries that exploits this. If a tree is constructed with:\n\n1. A `120000` (symlink) entry `a` that points to `.git/hooks`.\n2. A `040000` (directory) entry `a` with a subtree that contains a symlink from `post-checkout` to `../../payload`.\n3. A `100755` (executable file) entry `payload`.\n\nThis is converted by `gix_index::State::from_tree()` into index entries `[\"a\" (SYMLINK), \"a/post-checkout\" (SYMLINK)]`.\n\nThen, during the delayed symlink phase:\n\n1. `a` is created as a symlink to e.g. `.git/hooks`.\n2. When processing `a/post-checkout`, the `a` prefix is reused from the just-processed leaf entry without re-running the intermediate-directory check, after which\u2026\n3. `symlink(target, \"\u003cwt\u003e/a/post-checkout\")` resolves through the just-created symlink to write `.git/hooks/post-checkout`.\n\nAlthough this example uses `.git/hooks` for simplicity, there\u0027s no actual requirement to write within the repo checkout. This can be fairly easily chained into code execution by writing to something that is known to be executed \u2014 for example, by writing to `.git/hooks/post-checkout` if the attacker knows that a hook-aware Git implementation will be used later, or by writing to something like `~/.local/bin`.\n\n### PoC\n\nAttached is [build-bad-repo.sh](https://github.com/user-attachments/files/27223800/build-bad-repo.sh), which builds a repo with the aforementioned tree structure. Cloning it with `gix` will set up the malicious `.git/hooks/post-checkout`, at which point anything that normally invokes the `post-checkout` hook will result in its execution, such as `git checkout -b new-branch`.\n\n### Impact\n\nArbitrary symlink creation into any existing directory the user can write to.\n\n### Disclosure\n\nThis vulnerability was found by AI (specifically, Claude Mythos) as part of [Project Glasswing](https://www.anthropic.com/glasswing). This advisory was written and verified by a human.",
"id": "GHSA-f89h-2fjh-2r9q",
"modified": "2026-05-14T20:43:45Z",
"published": "2026-05-07T00:01:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-f89h-2fjh-2r9q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44471"
},
{
"type": "PACKAGE",
"url": "https://github.com/GitoxideLabs/gitoxide"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "gix-fs: Symlink prefix-reuse allows worktree escape during checkout"
}
GHSA-F943-XHH7-7C5G
Vulnerability from github – Published: 2026-07-14 09:31 – Updated: 2026-07-14 09:31An Improper link resolution before file access ('link following') vulnerability in the File Shredder module as used in Bitdefender Total Security and Internet Security on Windows allows a less-privileged local user to elevate rights by leveraging a race conditions via Symbolic Links.
This issue affects Total Security: before 27.0.58.315; Internet Security: before 27.0.58.315.
{
"affected": [],
"aliases": [
"CVE-2026-6851"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T08:16:24Z",
"severity": "HIGH"
},
"details": "An Improper link resolution before file access (\u0027link following\u0027) vulnerability in the File Shredder module as used in Bitdefender Total Security and Internet Security on Windows allows a less-privileged local user to elevate rights by leveraging a race conditions via Symbolic Links.\n\nThis issue affects Total Security: before 27.0.58.315; Internet Security: before 27.0.58.315.",
"id": "GHSA-f943-xhh7-7c5g",
"modified": "2026-07-14T09:31:42Z",
"published": "2026-07-14T09:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6851"
},
{
"type": "WEB",
"url": "https://www.bitdefender.com/support/security-advisories/improper-link-resolution-before-file-access-via-link-following-va-13681"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F98H-4X3R-HGHQ
Vulnerability from github – Published: 2024-05-17 00:31 – Updated: 2024-05-17 00:31Azure Monitor Agent Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-30060"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-16T23:15:49Z",
"severity": "HIGH"
},
"details": "Azure Monitor Agent Elevation of Privilege Vulnerability",
"id": "GHSA-f98h-4x3r-hghq",
"modified": "2024-05-17T00:31:00Z",
"published": "2024-05-17T00:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30060"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30060"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F9M7-VC86-P6JJ
Vulnerability from github – Published: 2026-06-19 21:15 – Updated: 2026-06-19 21:15Impact
The go.qbee.io/transport library is affected by a symlink-chain path traversal vulnerability in its extractTar routine. The library's path validation is strictly lexical and fails to account for on-disk symlinks created earlier in the extraction process. Consequently, a crafted tar archive can be used to write or overwrite files one directory level above the intended extraction path. In the case of qbee-agent, which runs with root privileges, this vulnerability permits a root-privileged file write outside the intended destination.
Patches
The issue has been addressed in version v1.26.25
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "go.qbee.io/transport"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.26.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55828"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:15:31Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nThe go.qbee.io/transport library is affected by a symlink-chain path traversal vulnerability in its extractTar routine. The library\u0027s path validation is strictly lexical and fails to account for on-disk symlinks created earlier in the extraction process. Consequently, a crafted tar archive can be used to write or overwrite files one directory level above the intended extraction path. In the case of qbee-agent, which runs with root privileges, this vulnerability permits a root-privileged file write outside the intended destination.\n\n### Patches\n\nThe issue has been addressed in version v1.26.25",
"id": "GHSA-f9m7-vc86-p6jj",
"modified": "2026-06-19T21:15:31Z",
"published": "2026-06-19T21:15:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/qbee-io/transport/security/advisories/GHSA-f9m7-vc86-p6jj"
},
{
"type": "PACKAGE",
"url": "https://github.com/qbee-io/transport"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "go.qbee.io/transport: Symlink-chain path traversal in tar extraction (one level outside destination)"
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.