Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1984 vulnerabilities reference this CWE, most recent first.

GHSA-58P9-FWRR-259C

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46
VLAI
Details

VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions. After reading the RKEY value from user.conf under the /usr/local/vesta/data/users/admin directory, the admin password can be changed via a /reset/?action=confirm&user=admin&code= URI. This occurs because chmod is used unsafely.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-08T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions. After reading the RKEY value from user.conf under the /usr/local/vesta/data/users/admin directory, the admin password can be changed via a /reset/?action=confirm\u0026user=admin\u0026code= URI. This occurs because chmod is used unsafely.",
  "id": "GHSA-58p9-fwrr-259c",
  "modified": "2022-05-24T17:46:55Z",
  "published": "2022-05-24T17:46:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30463"
    },
    {
      "type": "WEB",
      "url": "https://ssd-disclosure.com/ssd-advisory-vestacp-lpe-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-58PW-R2V4-PWJV

Vulnerability from github – Published: 2025-08-08 21:30 – Updated: 2025-11-05 00:31
VLAI
Details

7-Zip before 25.01 does not always properly handle symbolic links during extraction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-08T21:15:25Z",
    "severity": "LOW"
  },
  "details": "7-Zip before 25.01 does not always properly handle symbolic links during extraction.",
  "id": "GHSA-58pw-r2v4-pwjv",
  "modified": "2025-11-05T00:31:24Z",
  "published": "2025-08-08T21:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55188"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ip7z/7zip/compare/25.00...25.01"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ip7z/7zip/releases/tag/25.01"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunbun/CVE-2025-55188"
    },
    {
      "type": "WEB",
      "url": "https://lunbun.dev/blog/cve-2025-55188"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/sevenzip/discussion/45797/thread/da14cd780b"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2025/08/09/1"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-55188-detect-7-zip-vulnerable-version"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-55188-mitigate-7-zip-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://youtu.be/sWT6M1cfnwM"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/08/09/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/08/10/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/08/13/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/10/12/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/10/16/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58V9-JF45-V492

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2024-04-04 03:04
VLAI
Details

Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-16T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.",
  "id": "GHSA-58v9-jf45-v492",
  "modified": "2024-04-04T03:04:36Z",
  "published": "2022-05-24T17:42:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27229"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mumble-voip/mumble/pull/4733"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mumble-voip/mumble/compare/1.3.3...1.3.4"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202105-13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58XF-QF7H-M4M6

Vulnerability from github – Published: 2022-05-17 05:53 – Updated: 2022-05-17 05:53
VLAI
Details

nvidia-cg-toolkit-installer in nvidia-cg-toolkit 2.0.0015 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/nvidia-cg-toolkit-manifest temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5144"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-18T16:00:00Z",
    "severity": "MODERATE"
  },
  "details": "nvidia-cg-toolkit-installer in nvidia-cg-toolkit 2.0.0015 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/nvidia-cg-toolkit-manifest temporary file.",
  "id": "GHSA-58xf-qf7h-m4m6",
  "modified": "2022-05-17T05:53:08Z",
  "published": "2022-05-17T05:53:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5144"
    },
    {
      "type": "WEB",
      "url": "http://lists.debian.org/debian-devel/2008/08/msg00285.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/32411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5977-VHPG-P3HQ

Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-05-14 18:31
VLAI
Details

Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26238"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T17:15:50Z",
    "severity": "HIGH"
  },
  "details": "Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability",
  "id": "GHSA-5977-vhpg-p3hq",
  "modified": "2024-05-14T18:31:03Z",
  "published": "2024-05-14T18:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26238"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26238"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-597G-3PHW-6986

Vulnerability from github – Published: 2026-01-13 18:45 – Updated: 2026-01-13 18:45
VLAI
Summary
virtualenv Has TOCTOU Vulnerabilities in Directory Creation
Details

Impact

TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations.

Affected versions: All versions up to and including 20.36.1

Affected users: Any user running virtualenv on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where VIRTUALENV_OVERRIDE_APP_DATA points to a user-writable location.

Attack scenarios: - Cache poisoning: Attacker corrupts wheels or Python metadata in the cache - Information disclosure: Attacker reads sensitive cached data or metadata - Lock bypass: Attacker controls lock file semantics to cause concurrent access violations - Denial of service: Lock starvation preventing virtualenv operations

Patches

The vulnerability has been patched by replacing check-then-act patterns with atomic os.makedirs(..., exist_ok=True) operations.

Fixed in: PR #3013

Versions with the fix: 20.36.2 and later

Users should upgrade to version 20.36.2 or later.

Workarounds

If you cannot upgrade immediately:

  1. Ensure VIRTUALENV_OVERRIDE_APP_DATA points to a directory owned by the current user with restricted permissions (mode 0700)
  2. Avoid running virtualenv in shared temporary directories where other users have write access
  3. Use separate user accounts for different projects to isolate app_data directories

References

  • GitHub PR: https://github.com/pypa/virtualenv/pull/3013
  • Vulnerability reported by: @tsigouris007
  • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU)
  • CWE-59: Improper Link Resolution Before File Access
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "virtualenv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20.36.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T18:45:57Z",
    "nvd_published_at": "2026-01-10T07:16:02Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nTOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in `virtualenv` allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv\u0027s app_data and lock file operations to attacker-controlled locations.\n\n**Affected versions:** All versions up to and including 20.36.1\n\n**Affected users:** Any user running `virtualenv` on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where `VIRTUALENV_OVERRIDE_APP_DATA` points to a user-writable location.\n\n**Attack scenarios:**\n- Cache poisoning: Attacker corrupts wheels or Python metadata in the cache\n- Information disclosure: Attacker reads sensitive cached data or metadata\n- Lock bypass: Attacker controls lock file semantics to cause concurrent access violations\n- Denial of service: Lock starvation preventing virtualenv operations\n\n## Patches\n\nThe vulnerability has been patched by replacing check-then-act patterns with atomic `os.makedirs(..., exist_ok=True)` operations.\n\n**Fixed in:** PR #3013\n\n**Versions with the fix:** 20.36.2 and later\n\nUsers should upgrade to version 20.36.2 or later.\n\n## Workarounds\n\nIf you cannot upgrade immediately:\n\n1. Ensure `VIRTUALENV_OVERRIDE_APP_DATA` points to a directory owned by the current user with restricted permissions (mode 0700)\n2. Avoid running `virtualenv` in shared temporary directories where other users have write access\n3. Use separate user accounts for different projects to isolate app_data directories\n\n## References\n\n- GitHub PR: https://github.com/pypa/virtualenv/pull/3013\n- Vulnerability reported by: @tsigouris007\n- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU)\n- CWE-59: Improper Link Resolution Before File Access",
  "id": "GHSA-597g-3phw-6986",
  "modified": "2026-01-13T18:45:57Z",
  "published": "2026-01-13T18:45:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22702"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/virtualenv/pull/3013"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pypa/virtualenv"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "virtualenv Has TOCTOU Vulnerabilities in Directory Creation"
}

GHSA-599W-RMP9-P3VV

Vulnerability from github – Published: 2022-07-07 00:00 – Updated: 2022-07-15 00:00
VLAI
Details

In sound driver, there is a possible information disclosure due to symlink following. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06558663; Issue ID: ALPS06558663.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-21770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-06T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In sound driver, there is a possible information disclosure due to symlink following. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06558663; Issue ID: ALPS06558663.",
  "id": "GHSA-599w-rmp9-p3vv",
  "modified": "2022-07-15T00:00:23Z",
  "published": "2022-07-07T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21770"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/July-2022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-59PM-697W-V8V8

Vulnerability from github – Published: 2025-10-28 03:30 – Updated: 2025-10-28 03:30
VLAI
Details

A vulnerability was detected in ermig1979 AntiDupl up to 2.3.12. Impacted is an unknown function of the file AntiDupl.NET.WinForms.exe of the component Delete Duplicate Image Handler. The manipulation results in link following. The attack is only possible with local access. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12341"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-28T01:16:11Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was detected in ermig1979 AntiDupl up to 2.3.12. Impacted is an unknown function of the file AntiDupl.NET.WinForms.exe of the component Delete Duplicate Image Handler. The manipulation results in link following. The attack is only possible with local access. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-59pm-697w-v8v8",
  "modified": "2025-10-28T03:30:19Z",
  "published": "2025-10-28T03:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12341"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/19jwaqUji6O3U6EAeUMixBM58QTc4qNMQ/view?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.330127"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.330127"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.674515"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-59WJ-H89P-37X9

Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2025-11-04 00:32
VLAI
Details

This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A malicious app may be able to create symlinks to protected regions of the disk.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-31T23:15:27Z",
    "severity": "CRITICAL"
  },
  "details": "This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A malicious app may be able to create symlinks to protected regions of the disk.",
  "id": "GHSA-59wj-h89p-37x9",
  "modified": "2025-11-04T00:32:24Z",
  "published": "2025-04-01T00:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30457"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122373"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122374"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122375"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/10"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/8"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5C52-J627-9MH6

Vulnerability from github – Published: 2022-05-17 04:16 – Updated: 2022-05-17 04:16
VLAI
Details

The Read Mail module in Webmin 1.720 allows local users to read arbitrary files via a symlink attack on an unspecified file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-1377"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-02-10T20:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The Read Mail module in Webmin 1.720 allows local users to read arbitrary files via a symlink attack on an unspecified file.",
  "id": "GHSA-5c52-j627-9mh6",
  "modified": "2022-05-17T04:16:05Z",
  "published": "2022-05-17T04:16:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1377"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/62157"
    },
    {
      "type": "WEB",
      "url": "http://www.webmin.com/changes.html"
    },
    {
      "type": "WEB",
      "url": "http://www.webmin.com/security.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.