Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1992 vulnerabilities reference this CWE, most recent first.

GHSA-FV8P-4M6F-8CRP

Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2022-02-18 00:00
VLAI
Details

An improper link resolution before file access ('link following') vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that enables a local attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges under certain circumstances. This issue impacts: GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.10 on Windows. GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.5 on Windows. This issue does not affect GlobalProtect app on other platforms.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-10T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "An improper link resolution before file access (\u0027link following\u0027) vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that enables a local attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges under certain circumstances. This issue impacts: GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.10 on Windows. GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.5 on Windows. This issue does not affect GlobalProtect app on other platforms.",
  "id": "GHSA-fv8p-4m6f-8crp",
  "modified": "2022-02-18T00:00:56Z",
  "published": "2022-02-11T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0017"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2022-0017"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FV94-QVG8-XQPW

Vulnerability from github – Published: 2026-04-02 21:23 – Updated: 2026-05-06 19:11
VLAI
Summary
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host
Details

Summary

SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host

Current Maintainer Triage

  • Status: open
  • Normalized severity: high
  • Assessment: Real in shipped v2026.3.28: SSH sandbox tar upload lacked pre-upload symlink escape rejection until 3d5af14984 on 2026-03-31; maintainers already accepted it and the fix is unreleased.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version: 2026.3.31
  • Vulnerable version range: <=2026.3.28
  • Patched versions: >= 2026.3.31
  • First stable tag containing the fix: v2026.3.31

Fix Commit(s)

  • 3d5af14984ac1976c747a8e11581d697bd0829dc — 2026-03-31T19:56:45+09:00

OpenClaw thanks @AntAISecurityLab for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.28"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41364"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-02T21:23:32Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\nSSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: high\n- Assessment: Real in shipped v2026.3.28: SSH sandbox tar upload lacked pre-upload symlink escape rejection until 3d5af14984 on 2026-03-31; maintainers already accepted it and the fix is unreleased.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `3d5af14984ac1976c747a8e11581d697bd0829dc` \u2014 2026-03-31T19:56:45+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
  "id": "GHSA-fv94-qvg8-xqpw",
  "modified": "2026-05-06T19:11:31Z",
  "published": "2026-04-02T21:23:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fv94-qvg8-xqpw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41364"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/3d5af14984ac1976c747a8e11581d697bd0829dc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-symlink-following-in-ssh-sandbox-tar-upload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host"
}

GHSA-FVQ9-6J72-7GCV

Vulnerability from github – Published: 2024-11-15 18:30 – Updated: 2024-11-15 18:30
VLAI
Details

Three vulnerabilities in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device.

These vulnerabilities are due to improper access controls on files that are on the local file system. An attacker could exploit these vulnerabilities by placing a symbolic link in a specific location on the local file system of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device. To exploit these vulnerabilities, an attacker would need to have a remote support user account. Note: CVE-2023-20092 does not affect Cisco DX70, DX80, TelePresence MX Series, or TelePresence SX Series devices. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-15T16:15:24Z",
    "severity": "MODERATE"
  },
  "details": "Three vulnerabilities in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device.\n\nThese vulnerabilities are due to improper access controls on files that are on the local file system. An attacker could exploit these vulnerabilities by placing a symbolic link in a specific location on the local file system of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device. To exploit these vulnerabilities, an attacker would need to have a remote support user account.\nNote: CVE-2023-20092 does not affect Cisco DX70, DX80, TelePresence MX Series, or TelePresence SX Series devices.\nCisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.",
  "id": "GHSA-fvq9-6j72-7gcv",
  "modified": "2024-11-15T18:30:50Z",
  "published": "2024-11-15T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20004"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-roomos-file-write-rHKwegKf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FW7P-W2P7-VC8C

Vulnerability from github – Published: 2022-05-17 00:30 – Updated: 2022-05-17 00:30
VLAI
Details

IBM Spectrum Protect 7.1 and 8.1 could allow a local attacker to launch a symlink attack. IBM Spectrum Protect Backup-archive Client creates temporary files insecurely. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to overwrite arbitrary files on the system with elevated privileges. IBM X-Force ID: 125163.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1301"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-05T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Spectrum Protect 7.1 and 8.1 could allow a local attacker to launch a symlink attack. IBM Spectrum Protect Backup-archive Client creates temporary files insecurely. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to overwrite arbitrary files on the system with elevated privileges. IBM X-Force ID: 125163.",
  "id": "GHSA-fw7p-w2p7-vc8c",
  "modified": "2022-05-17T00:30:18Z",
  "published": "2022-05-17T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1301"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125163"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22006248"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101107"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FW87-FV5R-9FPW

Vulnerability from github – Published: 2026-06-16 20:12 – Updated: 2026-06-16 20:12
VLAI
Summary
Hugo: Symlink confinement bypass in resources.Get
Details

Commit: f8b5fa09a6Fix prevention of direct symlink reads in resources.Get Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected. Fixed in: v0.162.0. Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory — for example, inside a locally-vendored theme under themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups via resources.Get followed symlinks.

Description. Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused RootMappingFs.statRoot to call Stat (which follows symlinks) instead of Lstat, so a direct resources.Get "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo.

Mitigation. v0.162.0 calls LstatIfPossible and rejects symlinked entries with os.ErrNotExist, matching the behaviour of pre-v0.123.0 releases and of the directory-walking code paths.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gohugoio/hugo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.123.0"
            },
            {
              "fixed": "0.162.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50135"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T20:12:34Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "**Commit:** [f8b5fa09a6](https://github.com/gohugoio/hugo/commit/f8b5fa09a6) \u2014 _Fix prevention of direct symlink reads in resources.Get_\n**Affected versions:** v0.123.0 through v0.161.1. Earlier versions are not affected.\n**Fixed in:** v0.162.0.\n**Severity:** Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory \u2014 for example, inside a locally-vendored theme under `themes/`. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups via `resources.Get` followed symlinks.\n\n**Description.** Hugo\u0027s virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused `RootMappingFs.statRoot` to call `Stat` (which follows symlinks) instead of `Lstat`, so a direct `resources.Get \"somefile\"` where `somefile` was a symlink pointing outside the mount would return the target\u0027s contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running `hugo`.\n\n**Mitigation.** v0.162.0 calls `LstatIfPossible` and rejects symlinked entries with `os.ErrNotExist`, matching the behaviour of pre-v0.123.0 releases and of the directory-walking code paths.",
  "id": "GHSA-fw87-fv5r-9fpw",
  "modified": "2026-06-16T20:12:34Z",
  "published": "2026-06-16T20:12:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-fw87-fv5r-9fpw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gohugoio/hugo/commit/f8b5fa09a64950c32b803821ede411ebfe772b7a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gohugoio/hugo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Hugo: Symlink confinement bypass in resources.Get"
}

GHSA-FWWC-Q5JC-8PWM

Vulnerability from github – Published: 2022-04-30 18:11 – Updated: 2025-04-03 03:34
VLAI
Details

Microsoft Excel does not warn a user when a macro is present in a Symbolic Link (SYLK) format file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-1999-0794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "1999-10-01T04:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Microsoft Excel does not warn a user when a macro is present in a Symbolic Link (SYLK) format file.",
  "id": "GHSA-fwwc-q5jc-8pwm",
  "modified": "2025-04-03T03:34:49Z",
  "published": "2022-04-30T18:11:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-1999-0794"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-044"
    },
    {
      "type": "WEB",
      "url": "http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ241900"
    },
    {
      "type": "WEB",
      "url": "http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ241901"
    },
    {
      "type": "WEB",
      "url": "http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ241902"
    },
    {
      "type": "WEB",
      "url": "http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241900"
    },
    {
      "type": "WEB",
      "url": "http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241901"
    },
    {
      "type": "WEB",
      "url": "http://support.microsoft.com/default.aspx?scid=kb;[LN];Q241902"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FX3W-HJ7J-HFGF

Vulnerability from github – Published: 2022-05-24 17:11 – Updated: 2025-10-22 00:31
VLAI
Details

VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) contain a privilege escalation vulnerability due to improper use of setuid binaries. Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC or Horizon Client is installed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-3950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-17T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) contain a privilege escalation vulnerability due to improper use of setuid binaries. Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC or Horizon Client is installed.",
  "id": "GHSA-fx3w-hj7j-hfgf",
  "modified": "2025-10-22T00:31:51Z",
  "published": "2022-05-24T17:11:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3950"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3950"
    },
    {
      "type": "WEB",
      "url": "https://www.vmware.com/security/advisories/VMSA-2020-0005.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/156843/VMware-Fusion-11.5.2-Privilege-Escalation.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/157079/VMware-Fusion-USB-Arbitrator-Setuid-Privilege-Escalation.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FX49-8C29-QFFW

Vulnerability from github – Published: 2022-05-02 00:03 – Updated: 2022-05-02 00:03
VLAI
Details

src/main-win.c in GPicView 0.1.9 in Lightweight X11 Desktop Environment (LXDE) allows local users to overwrite arbitrary files via a symlink attack on the /tmp/rot.jpg temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-3791"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-09-03T14:12:00Z",
    "severity": "MODERATE"
  },
  "details": "src/main-win.c in GPicView 0.1.9 in Lightweight X11 Desktop Environment (LXDE) allows local users to overwrite arbitrary files via a symlink attack on the /tmp/rot.jpg temporary file.",
  "id": "GHSA-fx49-8c29-qffw",
  "modified": "2022-05-02T00:03:46Z",
  "published": "2022-05-02T00:03:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3791"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495968"
    },
    {
      "type": "WEB",
      "url": "http://lxde.svn.sourceforge.net/viewvc/lxde?view=rev\u0026sortby=date\u0026revision=845"
    },
    {
      "type": "WEB",
      "url": "http://sourceforge.net/tracker/index.php?func=detail\u0026aid=2019481\u0026group_id=180858\u0026atid=894869"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/08/25/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/08/26/10"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/08/26/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FX78-2G59-7RRF

Vulnerability from github – Published: 2022-05-17 05:45 – Updated: 2022-05-17 05:45
VLAI
Details

jhead.c in Matthias Wandel jhead 2.84 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-4639"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-10-21T18:00:00Z",
    "severity": "MODERATE"
  },
  "details": "jhead.c in Matthias Wandel jhead 2.84 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file.",
  "id": "GHSA-fx78-2g59-7rrf",
  "modified": "2022-05-17T05:45:03Z",
  "published": "2022-05-17T05:45:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4639"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/271020"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/10/15/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/10/15/6"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/10/16/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2009/02/06/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FXCJ-7H34-WRRR

Vulnerability from github – Published: 2026-07-14 00:31 – Updated: 2026-07-14 00:31
VLAI
Details

AnyDesk Screen Recording Link Following Denial-of-Service Vulnerability. This vulnerability allows local attackers to create a denial-of-service condition on affected installations of AnyDesk. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the handling of screen recording files. By creating a junction, an attacker can abuse the service to create arbitrary files. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-26591.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15681"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-13T22:16:45Z",
    "severity": "MODERATE"
  },
  "details": "AnyDesk Screen Recording Link Following Denial-of-Service Vulnerability. This vulnerability allows local attackers to create a denial-of-service condition on affected installations of AnyDesk. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the handling of screen recording files. By creating a junction, an attacker can abuse the service to create arbitrary files. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-26591.",
  "id": "GHSA-fxcj-7h34-wrrr",
  "modified": "2026-07-14T00:31:01Z",
  "published": "2026-07-14T00:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15681"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-400"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.