Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1984 vulnerabilities reference this CWE, most recent first.

GHSA-4735-2RHV-69G6

Vulnerability from github – Published: 2022-05-02 03:15 – Updated: 2022-05-02 03:15
VLAI
Details

Open redirect vulnerability in the web interface in the Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-0473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-02-06T19:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Open redirect vulnerability in the web interface in the Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.",
  "id": "GHSA-4735-2rhv-69g6",
  "modified": "2022-05-02T03:15:50Z",
  "published": "2022-05-02T03:15:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0473"
    },
    {
      "type": "WEB",
      "url": "http://rockwellautomation.custhelp.com/cgi-bin/rockwellautomation.cfg/php/enduser/std_adp.php?p_faqid=57729"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/33783"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/619499"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/33636"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2009/0347"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-47JC-H939-7PJ5

Vulnerability from github – Published: 2026-05-10 15:31 – Updated: 2026-05-10 15:31
VLAI
Details

CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager controller endpoint. Attackers can manipulate the completeStartingPath parameter in POST requests to /filemanager/controller to create symbolic links, read sensitive files like database credentials, and execute arbitrary shell commands through the /websites/fetchFolderDetails endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-10T13:16:31Z",
    "severity": "HIGH"
  },
  "details": "CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager controller endpoint. Attackers can manipulate the completeStartingPath parameter in POST requests to /filemanager/controller to create symbolic links, read sensitive files like database credentials, and execute arbitrary shell commands through the /websites/fetchFolderDetails endpoint.",
  "id": "GHSA-47jc-h939-7pj5",
  "modified": "2026-05-10T15:31:20Z",
  "published": "2026-05-10T15:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47949"
    },
    {
      "type": "WEB",
      "url": "https://cyberpanel.net"
    },
    {
      "type": "WEB",
      "url": "https://github.com/usmannasir/cyberpanel"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/50230"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/cyberpanel-authenticated-remote-code-execution-via-symlink-attack"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-47V7-36CR-738C

Vulnerability from github – Published: 2023-05-30 06:30 – Updated: 2024-04-04 04:22
VLAI
Details

Minecraft through 1.19 and 1.20 pre-releases before 7 (Java) allow arbitrary file overwrite, and possibly code execution, via crafted world data that contains a symlink.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-30T05:15:12Z",
    "severity": "HIGH"
  },
  "details": "Minecraft through 1.19 and 1.20 pre-releases before 7 (Java) allow arbitrary file overwrite, and possibly code execution, via crafted world data that contains a symlink.",
  "id": "GHSA-47v7-36cr-738c",
  "modified": "2024-04-04T04:22:58Z",
  "published": "2023-05-30T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33245"
    },
    {
      "type": "WEB",
      "url": "https://help.minecraft.net/hc/en-us/articles/16165590199181"
    },
    {
      "type": "WEB",
      "url": "https://vuln.ryotak.net/advisories/67"
    },
    {
      "type": "WEB",
      "url": "https://www.minecraft.net/ja-jp/article/minecraft-1-20-pre-release-7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-47WR-426J-FR82

Vulnerability from github – Published: 2022-02-12 00:14 – Updated: 2021-05-21 18:35
VLAI
Summary
Symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations in dbdeployer
Details

Impact

Users unpacking a tarball through dbdeployer may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defences.

Mitigating factors

For the attach to succeed, the following factors need to contribute:

  • The user is logged in as root. While dbdeployer is usable as root, it was designed to run as unprivileged user.
  • The user has taken a tarball from a non secure source, without testing the checksum. When the tarball is retrieved through dbdeployer, the checksum is compared before attempting to unpack.

Analysis

An attacker could inject a symbolic link into the tarball, so that a file could result into fake_file -> /etc/passwd or some equally important file. As it is now, dbdeployer would create the symlink as defined, with a local file fake_file linked to /etc/passwd. The danger here is that any process with the privileges to write to both fake_file and /etc/passwd could overwrite the system file. Even without malicious intent, this could result in the system to become unusable. As noted above, the user must have write privileges to the target file to do the damage.

Remedies

It has been suggested that the extract procedure use filepath.EvalSymlinks to determine whether the target is within the extraction directory. Unfortunately, this approach is unavailable in this context, because it would prevent legitimate patterns from being carried out. A simple case is a file mysql-8.0.22-macos10.15-x86_64/bin/libprotobuf-lite.3.11.4.dylib with a linkName ../lib/libprotobuf-lite.3.11.4.dylib, if the linked file has not been created yet, filepath.EvalSymlinks would fail, as it acts on existing files only.

An alternative method is comparing the depth (how many directories) of the file name with the depth of the link name. If the link name has a higher depth than the local file, we block the operation with an appropriate error:

Unpacking tarball exploit/mysql-8.0.22-macos10.15-x86_64.tar.gz to $HOME/opt/mysql/test8.0.22
......
link '../../../../../../../../../../etc' points outside target directory

exit status 1

As an additional fortifier, we can check whether the link points to an existing file, calculate its absolute name, and compare it with the absolute name of the extraction directory. A link to a full path (such as /etc/passwd) would fail this test, and trigger an error.

The same check can be applied to a link to a non existing file with absolute path.

Patches

Patched in release 1.58.2

For more information

If you have any questions or comments about this advisory: * Open an issue in dbdeployer

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/datacharmer/dbdeployer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.58.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-21T18:35:39Z",
    "nvd_published_at": "2020-12-21T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n_Users unpacking a tarball through dbdeployer may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defences._\n\n### Mitigating factors\nFor the attach to succeed, the following factors need to contribute:\n\n* The user is logged in as root. While dbdeployer is usable as root, it was designed to run as unprivileged user.\n*  The user has taken a tarball from a non secure source, without testing the checksum. When the tarball is retrieved through dbdeployer, the checksum is compared before attempting to unpack.\n\n### Analysis\n\nAn attacker could inject a symbolic link into the tarball, so that a file could result into `fake_file -\u003e /etc/passwd` or some equally  important file.\nAs it is now, dbdeployer would create the symlink as defined, with a local file `fake_file` linked to `/etc/passwd`. The danger here is that any process with the privileges to write to both `fake_file` and `/etc/passwd` could overwrite the system file. Even without malicious intent, this could result in the system to become unusable.\nAs noted above, the user must have write privileges to the target file to do the damage.\n\n### Remedies\n\nIt has been suggested that the extract procedure use `filepath.EvalSymlinks` to determine whether the target is within the extraction directory. Unfortunately, this approach is unavailable in this context, because it would prevent legitimate patterns from being carried out.\nA simple case is a file `mysql-8.0.22-macos10.15-x86_64/bin/libprotobuf-lite.3.11.4.dylib` with a linkName `../lib/libprotobuf-lite.3.11.4.dylib`, if the linked file has not been created yet, `filepath.EvalSymlinks` would fail, as it acts on existing files only.\n\nAn alternative method is comparing the depth (how many directories) of the file name with the depth of the link name. If the link name has a higher depth than the local file, we block the operation with an appropriate error:\n\n```\nUnpacking tarball exploit/mysql-8.0.22-macos10.15-x86_64.tar.gz to $HOME/opt/mysql/test8.0.22\n......\nlink \u0027../../../../../../../../../../etc\u0027 points outside target directory\n\nexit status 1\n```\nAs an additional fortifier, we can check whether the link points to an existing file, calculate its absolute name, and compare it with the absolute name of the extraction directory. A link to a full path (such as `/etc/passwd`) would fail this test, and trigger an error.\n\nThe same check can be applied to a link to a non existing file with absolute path.\n\n### Patches\n\nPatched in release 1.58.2\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [dbdeployer](https://github.com/datacharmer/dbdeployer)",
  "id": "GHSA-47wr-426j-fr82",
  "modified": "2021-05-21T18:35:39Z",
  "published": "2022-02-12T00:14:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/datacharmer/dbdeployer/security/advisories/GHSA-47wr-426j-fr82"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26277"
    },
    {
      "type": "WEB",
      "url": "https://github.com/datacharmer/dbdeployer/commit/548e256c1de2f99746e861454e7714ec6bc9bb10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations in dbdeployer"
}

GHSA-47XW-VW6M-W9FQ

Vulnerability from github – Published: 2023-10-28 00:30 – Updated: 2023-10-31 21:35
VLAI
Summary
HashiCorp Vagrant Insecure Operation on Windows Junction / Mount Point vulnerability
Details

HashiCorp Vagrant's Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Fixed in Vagrant 2.4.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/vagrant"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-5834"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1386",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-31T21:35:21Z",
    "nvd_published_at": "2023-10-27T22:15:09Z",
    "severity": "LOW"
  },
  "details": "HashiCorp Vagrant\u0027s Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Fixed in Vagrant 2.4.0.",
  "id": "GHSA-47xw-vw6m-w9fq",
  "modified": "2023-10-31T21:35:21Z",
  "published": "2023-10-28T00:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5834"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2023-31-vagrant-s-windows-installer-allowed-directory-junction-write/59568"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hashicorp/vagrant"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HashiCorp Vagrant Insecure Operation on Windows Junction / Mount Point vulnerability"
}

GHSA-482J-63PF-FMXQ

Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27
VLAI
Details

Directory traversal vulnerability in the WordPress Download Manager plugin for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the fname parameter to (1) views/file_download.php or (2) file_download.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-8585"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-11-04T15:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Directory traversal vulnerability in the WordPress Download Manager plugin for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the fname parameter to (1) views/file_download.php or (2) file_download.php.",
  "id": "GHSA-482j-63pf-fmxq",
  "modified": "2022-05-13T01:27:00Z",
  "published": "2022-05-13T01:27:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8585"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98318"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/128852/WordPress-Download-Manager-Arbitrary-File-Download.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/70764"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-48Q2-62W2-89CW

Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06
VLAI
Details

A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. Version 1.1.31 and older are believed to be affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-01T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. Version 1.1.31 and older are believed to be affected.",
  "id": "GHSA-48q2-62w2-89cw",
  "modified": "2022-05-13T01:06:17Z",
  "published": "2022-05-13T01:06:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10897"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rpm-software-management/yum-utils/pull/43"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rpm-software-management/yum-utils/commit/6a8de061f8fdc885e74ebe8c94625bf53643b71c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rpm-software-management/yum-utils/commit/7554c0133eb830a71dc01846037cc047d0acbc2c"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2284"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2285"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2626"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2018-10897"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1600221"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10897"
    },
    {
      "type": "WEB",
      "url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041594"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-48RG-9M95-738V

Vulnerability from github – Published: 2024-07-30 00:34 – Updated: 2024-07-30 00:34
VLAI
Details

Comodo Internet Security Pro cmdagent Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Comodo Internet Security Pro. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the cmdagent executable. By creating a symbolic link, an attacker can abuse the agent to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22829.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7250"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-29T22:15:06Z",
    "severity": "HIGH"
  },
  "details": "Comodo Internet Security Pro cmdagent Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Comodo Internet Security Pro. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the cmdagent executable. By creating a symbolic link, an attacker can abuse the agent to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22829.",
  "id": "GHSA-48rg-9m95-738v",
  "modified": "2024-07-30T00:34:24Z",
  "published": "2024-07-30T00:34:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7250"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-955"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-493F-JH8W-QHX3

Vulnerability from github – Published: 2026-03-10 21:02 – Updated: 2026-03-10 21:02
VLAI
Summary
ImageMagick has a Path Policy TOCTOU symlink race bypass
Details

domain="path" authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T21:02:24Z",
    "nvd_published_at": "2026-03-10T07:43:43Z",
    "severity": "MODERATE"
  },
  "details": "`domain=\"path\"` authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write.",
  "id": "GHSA-493f-jh8w-qhx3",
  "modified": "2026-03-10T21:02:24Z",
  "published": "2026-03-10T21:02:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28689"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ImageMagick/ImageMagick"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ImageMagick has a Path Policy TOCTOU symlink race bypass"
}

GHSA-49QH-H4VJ-MRGF

Vulnerability from github – Published: 2026-06-10 06:30 – Updated: 2026-06-30 03:36
VLAI
Details

A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-10T05:16:38Z",
    "severity": "HIGH"
  },
  "details": "A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module\u0027s keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.",
  "id": "GHSA-49qh-h4vj-mrgf",
  "modified": "2026-06-30T03:36:59Z",
  "published": "2026-06-10T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11837"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-11837"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487424"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11837.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.