CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1983 vulnerabilities reference this CWE, most recent first.
GHSA-26M2-2WHW-VFV9
Vulnerability from github – Published: 2026-07-11 15:30 – Updated: 2026-07-11 15:30ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.
{
"affected": [],
"aliases": [
"CVE-2026-61858"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-11T14:16:24Z",
"severity": "MODERATE"
},
"details": "ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.",
"id": "GHSA-26m2-2whw-vfv9",
"modified": "2026-07-11T15:30:23Z",
"published": "2026-07-11T15:30:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v3j6-27vc-7pw2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-61858"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/imagemagick-before-26-policy-bypass-via-apng-encoder"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2776-M3XX-F2VF
Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18radiance 3R9+20080530 allows local users to overwrite arbitrary files via a symlink attack on (a) /tmp/opt.fmt, (b) /tmp/out#####.fmt, (c) /tmp/tf#####.dat, (d) /tmp/gsf#####, (e) /tmp/sc#####.sh, (f) /tmp/il#####.pic, (g) /tmp/tl#####.pic, (h) /tmp/ds#####.pic, (i) /tmp/tfa#####, and (j) /tmp/sed##### temporary files, related to the (1) optics2rad, (2) pdelta, (3) dayfact, and (4) raddepend scripts.
{
"affected": [],
"aliases": [
"CVE-2008-4978"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-06T15:55:00Z",
"severity": "MODERATE"
},
"details": "radiance 3R9+20080530 allows local users to overwrite arbitrary files via a symlink attack on (a) /tmp/opt.fmt, (b) /tmp/out#####.fmt, (c) /tmp/tf#####.dat, (d) /tmp/gsf#####, (e) /tmp/sc#####.sh, (f) /tmp/il#####.pic, (g) /tmp/tl#####.pic, (h) /tmp/ds#####.pic, (i) /tmp/tfa#####, and (j) /tmp/sed##### temporary files, related to the (1) optics2rad, (2) pdelta, (3) dayfact, and (4) raddepend scripts.",
"id": "GHSA-2776-m3xx-f2vf",
"modified": "2022-05-17T02:18:28Z",
"published": "2022-05-17T02:18:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4978"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44846"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496433"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/radiance"
},
{
"type": "WEB",
"url": "http://uvw.ru/report.lenny.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30953"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-279P-XGVM-R6G6
Vulnerability from github – Published: 2022-05-17 04:44 – Updated: 2022-05-17 04:44DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file content for a user via a symlink attack on the temporary file.
{
"affected": [],
"aliases": [
"CVE-2011-3154"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-04-17T14:55:00Z",
"severity": "LOW"
},
"details": "DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file content for a user via a symlink attack on the temporary file.",
"id": "GHSA-279p-xgvm-r6g6",
"modified": "2022-05-17T04:44:57Z",
"published": "2022-05-17T04:44:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3154"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/881541"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/47024"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1284-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-27GF-J34Q-JWV5
Vulnerability from github – Published: 2022-10-10 19:00 – Updated: 2022-10-11 19:00Warpinator through 1.2.14 allows access outside of an intended directory, as demonstrated by symbolic directory links.
{
"affected": [],
"aliases": [
"CVE-2022-42725"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-10T05:15:00Z",
"severity": "HIGH"
},
"details": "Warpinator through 1.2.14 allows access outside of an intended directory, as demonstrated by symbolic directory links.",
"id": "GHSA-27gf-j34q-jwv5",
"modified": "2022-10-11T19:00:26Z",
"published": "2022-10-10T19:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42725"
},
{
"type": "WEB",
"url": "https://github.com/linuxmint/warpinator/commit/5244c33d4c109ede9607b9d94461650410e2cddc"
},
{
"type": "WEB",
"url": "https://github.com/linuxmint/warpinator/commit/8bfd2f8b3f1b0c0f0a5a6d275702d107b9e08a94"
},
{
"type": "WEB",
"url": "https://github.com/linuxmint/warpinator/commit/95124fd4468683dd69ddd7b3da0e9906ce6beae2"
},
{
"type": "WEB",
"url": "https://github.com/linuxmint/warpinator/commit/f4907ef6a17a189d56ab0a9da4b53190b061ad75"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/10/24/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/04/26/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-27Q6-288H-36J9
Vulnerability from github – Published: 2022-05-17 05:53 – Updated: 2022-05-17 05:53** DISPUTED ** postfix_groups.pl in Postfix 2.5.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/postfix_groups.stdout, (2) /tmp/postfix_groups.stderr, and (3) /tmp/postfix_groups.message temporary files. NOTE: the vendor disputes this vulnerability, stating "This is not a real issue ... users would have to edit a script under /usr/lib to enable it."
{
"affected": [],
"aliases": [
"CVE-2008-4977"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-06T15:55:00Z",
"severity": "MODERATE"
},
"details": "** DISPUTED ** postfix_groups.pl in Postfix 2.5.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/postfix_groups.stdout, (2) /tmp/postfix_groups.stderr, and (3) /tmp/postfix_groups.message temporary files. NOTE: the vendor disputes this vulnerability, stating \"This is not a real issue ... users would have to edit a script under /usr/lib to enable it.\"",
"id": "GHSA-27q6-288h-36j9",
"modified": "2022-05-17T05:53:38Z",
"published": "2022-05-17T05:53:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4977"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235811"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496401"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/postfix"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-27QC-C946-G657
Vulnerability from github – Published: 2022-05-02 03:12 – Updated: 2022-05-02 03:12CUPS on Mandriva Linux 2008.0, 2008.1, 2009.0, Corporate Server (CS) 3.0 and 4.0, and Multi Network Firewall (MNF) 2.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file.
{
"affected": [],
"aliases": [
"CVE-2009-0032"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-01-27T20:30:00Z",
"severity": "MODERATE"
},
"details": "CUPS on Mandriva Linux 2008.0, 2008.1, 2009.0, Corporate Server (CS) 3.0 and 4.0, and Multi Network Firewall (MNF) 2.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file.",
"id": "GHSA-27qc-c946-g657",
"modified": "2022-05-02T03:12:29Z",
"published": "2022-05-02T03:12:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0032"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48210"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1021637"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:027"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:028"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:029"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/33418"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-28F2-GW74-5CPJ
Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2025-04-20 03:49The setpermissions function in the auto-updater in Arq before 5.9.7 for Mac allows local users to gain root privileges via a symlink attack on the updater binary itself.
{
"affected": [],
"aliases": [
"CVE-2017-15357"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-01T17:29:00Z",
"severity": "HIGH"
},
"details": "The setpermissions function in the auto-updater in Arq before 5.9.7 for Mac allows local users to gain root privileges via a symlink attack on the updater binary itself.",
"id": "GHSA-28f2-gw74-5cpj",
"modified": "2025-04-20T03:49:23Z",
"published": "2022-05-13T01:27:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15357"
},
{
"type": "WEB",
"url": "https://m4.rkw.io/blog/cve201715357-local-root-privesc-in-arq-backup--596.html"
},
{
"type": "WEB",
"url": "https://www.arqbackup.com/download/arq5_release_notes.html"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43218"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-28FH-4J57-CC4W
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-05-24 17:27A vulnerability in Trend Micro Apex One and OfficeScan XG SP1 on Microsoft Windows may allow an attacker to create a hard link to any file on the system, which then could be manipulated to gain a privilege escalation and code execution. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Please note that version 1909 (OS Build 18363.719) of Microsoft Windows 10 mitigates hard links, but previous versions are affected.
{
"affected": [],
"aliases": [
"CVE-2020-24556"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-01T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in Trend Micro Apex One and OfficeScan XG SP1 on Microsoft Windows may allow an attacker to create a hard link to any file on the system, which then could be manipulated to gain a privilege escalation and code execution. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Please note that version 1909 (OS Build 18363.719) of Microsoft Windows 10 mitigates hard links, but previous versions are affected.",
"id": "GHSA-28fh-4j57-cc4w",
"modified": "2022-05-24T17:27:08Z",
"published": "2022-05-24T17:27:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24556"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000263632"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000263633"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000267260"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1093"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-28M8-9J7V-X499
Vulnerability from github – Published: 2022-09-16 19:28 – Updated: 2022-09-22 17:28Impact
Due to missing canonicalization when readDir is called recursively, it was possible to display directory listings outside of the defined fs scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs scope. No arbitrary file content could be leaked.
Patches
The issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the
requested (sub) directory is a symbolic link outside of the defined scope.
Workarounds
Disable the readDir endpoint in the allowlist inside the tauri.conf.json.
For more information
This issue was initially reported by martin-ocasek in #4882.
If you have any questions or comments about this advisory: * Open an issue in tauri * Email us at security@tauri.app
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "tauri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39215"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-16T19:28:49Z",
"nvd_published_at": "2022-09-15T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nDue to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. No arbitrary file content could be leaked.\n\n\n### Patches\nThe issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the\nrequested (sub) directory is a symbolic link outside of the defined `scope`.\n\n### Workarounds\nDisable the `readDir` endpoint in the `allowlist` inside the `tauri.conf.json`.\n\n### For more information\n\nThis issue was initially reported by [martin-ocasek]( https://github.com/martin-ocasek) in [#4882](https://github.com/tauri-apps/tauri/issues/4882).\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [tauri](https://github.com/tauri-apps/tauri)\n* Email us at [security@tauri.app](mailto:security@tauri.app)\n",
"id": "GHSA-28m8-9j7v-x499",
"modified": "2022-09-22T17:28:05Z",
"published": "2022-09-16T19:28:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-28m8-9j7v-x499"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39215"
},
{
"type": "WEB",
"url": "https://github.com/tauri-apps/tauri/issues/4882"
},
{
"type": "WEB",
"url": "https://github.com/tauri-apps/tauri/pull/5123"
},
{
"type": "WEB",
"url": "https://github.com/tauri-apps/tauri/pull/5123/commits/1f9b9e8d26a2c915390323e161020bcb36d44678"
},
{
"type": "WEB",
"url": "https://github.com/tauri-apps/tauri/commit/bb178829086e80916f9be190f02d83bc25802799"
},
{
"type": "PACKAGE",
"url": "https://github.com/tauri-apps/tauri"
},
{
"type": "WEB",
"url": "https://github.com/tauri-apps/tauri/releases/tag/tauri-v1.0.6"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0088.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Tauri\u0027s readDir Endpoint Scope can be Bypassed With Symbolic Links"
}
GHSA-28XP-G7F6-7MHF
Vulnerability from github – Published: 2022-05-14 03:49 – Updated: 2023-10-10 16:33Syncthing version 0.14.33 and older erronously versions symlinks when they are deleted. If a directory is then created with the same name, a file created in that directory, and the file deleted, it is moved into the symlink target. This can lead to symlink traversal resulting in arbitrary file overwrite.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/syncthing/syncthing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.14.33"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-1000420"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-26T22:17:40Z",
"nvd_published_at": "2018-01-02T19:29:00Z",
"severity": "HIGH"
},
"details": "Syncthing version 0.14.33 and older erronously versions symlinks when they are deleted. If a directory is then created with the same name, a file created in that directory, and the file deleted, it is moved into the symlink target. This can lead to symlink traversal resulting in arbitrary file overwrite.",
"id": "GHSA-28xp-g7f6-7mhf",
"modified": "2023-10-10T16:33:31Z",
"published": "2022-05-14T03:49:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000420"
},
{
"type": "WEB",
"url": "https://github.com/syncthing/syncthing/issues/4286"
},
{
"type": "WEB",
"url": "https://github.com/syncthing/syncthing/commit/f1f21bf22020d9b881478c2e942ba6943c8da2f3"
},
{
"type": "PACKAGE",
"url": "https://github.com/syncthing/syncthing"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Syncthing vulnerable to symlink traversal and arbitrary file overwrite"
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.