Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1987 vulnerabilities reference this CWE, most recent first.

GHSA-7M75-X27W-R52R

Vulnerability from github – Published: 2024-06-03 12:30 – Updated: 2024-06-04 17:50
VLAI
Summary
qdrant input validation failure
Details

qdrant/qdrant version 1.9.0-dev is vulnerable to arbitrary file read and write during the snapshot recovery process. Attackers can exploit this vulnerability by manipulating snapshot files to include symlinks, leading to arbitrary file read by adding a symlink that points to a desired file on the filesystem and arbitrary file write by including a symlink and a payload file in the snapshot's directory structure. This vulnerability allows for the reading and writing of arbitrary files on the server, which could potentially lead to a full takeover of the system. The issue is fixed in version v1.9.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "qdrant-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-3829"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-04T17:50:58Z",
    "nvd_published_at": "2024-06-03T10:15:14Z",
    "severity": "CRITICAL"
  },
  "details": "qdrant/qdrant version 1.9.0-dev is vulnerable to arbitrary file read and write during the snapshot recovery process. Attackers can exploit this vulnerability by manipulating snapshot files to include symlinks, leading to arbitrary file read by adding a symlink that points to a desired file on the filesystem and arbitrary file write by including a symlink and a payload file in the snapshot\u0027s directory structure. This vulnerability allows for the reading and writing of arbitrary files on the server, which could potentially lead to a full takeover of the system. The issue is fixed in version v1.9.0.",
  "id": "GHSA-7m75-x27w-r52r",
  "modified": "2024-06-04T17:50:58Z",
  "published": "2024-06-03T12:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3829"
    },
    {
      "type": "WEB",
      "url": "https://github.com/qdrant/qdrant/commit/ee7a31ec3459a6a4219200234615c1817ab82260"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/qdrant/qdrant-client"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/abd9c906-75ee-4d84-b76d-ce1386401e08"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "qdrant input validation failure "
}

GHSA-7MJV-X3JF-545X

Vulnerability from github – Published: 2023-03-21 22:32 – Updated: 2023-03-21 22:32
VLAI
Summary
cloudflared's Installer has Local Privilege Escalation Vulnerability
Details

Impact

A vulnerability has been discovered in cloudflared's installer (<= 2023.3.0) for Windows 32-bits devices that allows a local attacker with no administrative permissions to escalate their privileges on the affected device. This vulnerability exists because the MSI installer used by cloudflared relied on a world-writable directory.

An attacker with local access to the device (without Administrator rights) can use symbolic links to trick the MSI installer into deleting files in locations that the attacker would otherwise have no access to. By creating a symlink from the world-writable directory to the target file, the attacker can manipulate the MSI installer's repair functionality to delete the target file during the repair process.

Exploitation of this vulnerability could allow an attacker to delete important system files or replace them with malicious files, potentially leading to the affected device being compromised.

The cloudflared client itself is not affected by this vulnerability, only the installer for 32-bit Windows devices.

Patches

A new installer was released as part of version 2023.3.1, corresponding to pseudoversion 0.0.0-20230313153246-f686da832f85 on pkg.go.dev. Users are encouraged to remove old installers from their systems.

References

Cloudflared Releases

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cloudflare/cloudflared"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20230313153246-f686da832f85"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-1314"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-21T22:32:50Z",
    "nvd_published_at": "2023-03-21T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA vulnerability has been discovered in cloudflared\u0027s installer (\u003c= 2023.3.0) for Windows 32-bits devices that allows a local attacker with no administrative permissions to escalate their privileges on the affected device. This vulnerability exists because the MSI installer used by cloudflared relied on a world-writable directory.\n\nAn attacker with local access to the device (without Administrator rights) can use symbolic links to trick the MSI installer into deleting files in locations that the attacker would otherwise have no access to. By creating a symlink from the world-writable directory to the target file, the attacker can manipulate the MSI installer\u0027s repair functionality to delete the target file during the repair process.\n\nExploitation of this vulnerability could allow an attacker to delete important system files or replace them with malicious files, potentially leading to the affected device being compromised.\n\n**The cloudflared client itself is not affected by this vulnerability, only the installer for 32-bit Windows devices.**\n\n### Patches\nA new installer was released as part of version 2023.3.1, corresponding to pseudoversion 0.0.0-20230313153246-f686da832f85 on pkg.go.dev. Users are encouraged to remove old installers from their systems.\n\n### References\n[Cloudflared Releases](https://github.com/cloudflare/cloudflared/releases)",
  "id": "GHSA-7mjv-x3jf-545x",
  "modified": "2023-03-21T22:32:50Z",
  "published": "2023-03-21T22:32:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/cloudflared/security/advisories/GHSA-7mjv-x3jf-545x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1314"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/cloudflared/commit/9c15f31d003bebfbe6467c2b42972df3e7c9b886"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudflare/cloudflared"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/cloudflared/releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "cloudflared\u0027s Installer has Local Privilege Escalation Vulnerability"
}

GHSA-7P5C-G6M3-V67R

Vulnerability from github – Published: 2024-01-09 18:30 – Updated: 2024-01-09 18:30
VLAI
Details

Visual Studio Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-09T18:15:48Z",
    "severity": "HIGH"
  },
  "details": "Visual Studio Elevation of Privilege Vulnerability",
  "id": "GHSA-7p5c-g6m3-v67r",
  "modified": "2024-01-09T18:30:28Z",
  "published": "2024-01-09T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20656"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20656"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7P6M-P6R7-2F8P

Vulnerability from github – Published: 2022-04-30 18:12 – Updated: 2022-04-30 18:12
VLAI
Details

Windows Internet Naming Service (WINS) allows remote attackers to cause a denial of service (connectivity loss) or steal credentials via a 1Ch registration that causes WINS to change the domain controller to point to a malicious server. NOTE: this problem may be limited when Windows 95/98 clients are used, or if the primary domain controller becomes unavailable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-1999-1593"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-01-15T01:30:00Z",
    "severity": "HIGH"
  },
  "details": "Windows Internet Naming Service (WINS) allows remote attackers to cause a denial of service (connectivity loss) or steal credentials via a 1Ch registration that causes WINS to change the domain controller to point to a malicious server.  NOTE: this problem may be limited when Windows 95/98 clients are used, or if the primary domain controller becomes unavailable.",
  "id": "GHSA-7p6m-p6r7-2f8p",
  "modified": "2022-04-30T18:12:46Z",
  "published": "2022-04-30T18:12:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-1999-1593"
    },
    {
      "type": "WEB",
      "url": "https://www2.sans.org/reading_room/whitepapers/win2k/185.php"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00371.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/bugtraq/2001/Jan/0264.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/bugtraq/2001/Jan/0269.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/bugtraq/2001/Jan/0271.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/bugtraq/2001/Jan/0274.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/bugtraq/2001/Jan/0276.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/bugtraq/2001/Jan/0289.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/bugtraq/2001/Jan/0298.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/2221"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7P6P-4577-FPHG

Vulnerability from github – Published: 2022-05-17 00:43 – Updated: 2022-05-17 00:43
VLAI
Details

The cTrigger::DoIt function in src/ctrigger.cpp in the trigger mechanism in the daemon in Verlihub 0.9.8d-RC2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/trigger.tmp temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-12-22T15:30:00Z",
    "severity": "MODERATE"
  },
  "details": "The cTrigger::DoIt function in src/ctrigger.cpp in the trigger mechanism in the daemon in Verlihub 0.9.8d-RC2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/trigger.tmp temporary file.",
  "id": "GHSA-7p6p-4577-fphg",
  "modified": "2022-05-17T00:43:23Z",
  "published": "2022-05-17T00:43:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5706"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/7183"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/506530"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2008/12/17/16"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/4800"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/32889"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7P8H-3XW2-W6JW

Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2023-02-24 00:30
VLAI
Details

IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in .infxdirs. IBM X-Force ID: 144432.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1632"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-20T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in .infxdirs. IBM X-Force ID: 144432.",
  "id": "GHSA-7p8h-3xw2-w6jw",
  "modified": "2023-02-24T00:30:16Z",
  "published": "2022-05-24T16:54:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1632"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/144432"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190903-0002"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ibm10964987"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7PCG-JHJM-W87W

Vulnerability from github – Published: 2026-03-25 03:31 – Updated: 2026-03-26 21:31
VLAI
Details

This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Sonoma 14.8.5, macOS Tahoe 26.3, macOS Tahoe 26.4. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T01:17:06Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Sonoma 14.8.5, macOS Tahoe 26.3, macOS Tahoe 26.4. An app may be able to access user-sensitive data.",
  "id": "GHSA-7pcg-jhjm-w87w",
  "modified": "2026-03-26T21:31:22Z",
  "published": "2026-03-25T03:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20694"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126346"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126348"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126349"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126350"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126794"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126795"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126796"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7PHF-PG77-8MWX

Vulnerability from github – Published: 2022-05-17 02:17 – Updated: 2022-05-17 02:17
VLAI
Details

pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup files with a predictable name, which allows local users to overwrite arbitrary files via a symlink attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5743"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-12-26T21:30:00Z",
    "severity": "MODERATE"
  },
  "details": "pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup files with a predictable name, which allows local users to overwrite arbitrary files via a symlink attack.",
  "id": "GHSA-7phf-pg77-8mwx",
  "modified": "2022-05-17T02:17:14Z",
  "published": "2022-05-17T02:17:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5743"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.novell.com/show_bug.cgi?id=459031"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47519"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00484.html"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00488.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/33278"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/34312"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/12/19/3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/32931"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7PPQ-QP29-RVGJ

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44
VLAI
Details

autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-28650"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-17T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file\u0027s parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241.",
  "id": "GHSA-7ppq-qp29-rvgj",
  "modified": "2022-05-24T17:44:43Z",
  "published": "2022-05-24T17:44:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28650"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BN5TVQ7OHZEGY6AGFLAZWCVCI53RYNHQ"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202105-10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7Q4V-2MR6-5GPX

Vulnerability from github – Published: 2026-06-16 14:33 – Updated: 2026-06-16 14:33
VLAI
Summary
Microsoft Security Advisory CVE-2026-45491 – .NET Tampering Vulnerability
Details

Executive Summary

Microsoft is releasing this security advisory to provide information about a vulnerability in System.Formats.Tar. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A tampering vulnerability exists in the TarFile.ExtractToDirectory method where a symlink path traversal enables an attacker to perform arbitrary file writes outside the intended extraction directory.

Announcement

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/404

Affected Platforms

  • Platforms: All
  • Architectures: All

Affected Packages

The vulnerability affects any Microsoft .NET project if it uses any of affected package versions listed below

.NET 10

Package name Affected version Patched version
Microsoft.NETCore.App.Runtime >= 10.0.0, <= 10.0.8 10.0.9

.NET 9

Package name Affected version Patched version
Microsoft.NETCore.App.Runtime >= 9.0.0, <= 9.0.16 9.0.17

.NET 8

Package name Affected version Patched version
Microsoft.NETCore.App.Runtime >= 8.0.0, <= 8.0.27 8.0.28

Advisory FAQ

How do I know if I am affected?

If using a package listed in affected packages, you're exposed to the vulnerability.

How do I fix the issue?

  1. To fix the issue please install the latest version of .NET 8.0, .NET 9.0, or .NET 10.0, as appropriate. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
  2. If your application references the vulnerable package, update the package reference to the patched version.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Other Information

Reporting Security Issues

If you have found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the MSRC Researcher Portal. Further information can be found in the MSRC Report an Issue FAQ.

Security reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Acknowledgements

Anonymous, Ashmit Sharma, Ky0toFu ,phrolo7a

Revisions

V1.0 (June 9, 2026): Advisory published.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.27"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NETCore.App.Runtime.linux-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.16"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NETCore.App.Runtime.linux-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.8"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NETCore.App.Runtime.linux-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.27"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NETCore.App.Runtime.win-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.16"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NETCore.App.Runtime.win-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.8"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NETCore.App.Runtime.win-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.27"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NETCore.App.Runtime.osx-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.16"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NETCore.App.Runtime.osx-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.8"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NETCore.App.Runtime.osx-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45491"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T14:33:40Z",
    "nvd_published_at": "2026-06-09T17:17:25Z",
    "severity": "MODERATE"
  },
  "details": "## Executive Summary\n\nMicrosoft is releasing this security advisory to provide information about a vulnerability in System.Formats.Tar. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.\n\nA tampering vulnerability exists in the `TarFile.ExtractToDirectory` method where a symlink path traversal enables an attacker to perform arbitrary file writes outside the intended extraction directory.\n\n## Announcement\n\nAnnouncement for this issue can be found at https://github.com/dotnet/announcements/issues/404\n\n## Affected Platforms\n\n- **Platforms:** All\n- **Architectures:** All\n\n## Affected Packages\nThe vulnerability affects any Microsoft .NET project if it uses any of affected package versions listed below\n\n### .NET 10\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.NETCore.App.Runtime](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime) | \u003e= 10.0.0, \u003c= 10.0.8 | 10.0.9\n\n### .NET 9\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.NETCore.App.Runtime](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime) | \u003e= 9.0.0, \u003c= 9.0.16 | 9.0.17\n\n### .NET 8\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.NETCore.App.Runtime](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime) | \u003e= 8.0.0, \u003c= 8.0.27 | 8.0.28\n\n## Advisory FAQ\n\n### How do I know if I am affected?\n\nIf using a package listed in affected packages, you\u0027re exposed to the vulnerability.\n\n### How do I fix the issue?\n\n1. To fix the issue please install the latest version of .NET 8.0, .NET 9.0, or .NET 10.0, as appropriate. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.\n2. If your application references the vulnerable package, update the package reference to the patched version.\n\nOnce you have installed the updated runtime or SDK, restart your apps for the update to take effect.\n\nAdditionally, if you\u0027ve deployed [self-contained applications](https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd) targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.\n\n## Other Information\n\n### Reporting Security Issues\n\nIf you have found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the [MSRC Researcher Portal](https://msrc.microsoft.com/report/vulnerability/new). Further information can be found in the MSRC [Report an Issue FAQ](https://www.microsoft.com/msrc/faqs-report-an-issue).\n\nSecurity reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.\n\n### Support\n\nYou can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.\n\n### Disclaimer\n\nThe information provided in this advisory is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\n\n### Acknowledgements\nAnonymous,\u202fAshmit Sharma, Ky0toFu\u202f,phrolo7a\n\n### Revisions\n\nV1.0 (June 9, 2026): Advisory published.",
  "id": "GHSA-7q4v-2mr6-5gpx",
  "modified": "2026-06-16T14:33:40Z",
  "published": "2026-06-16T14:33:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dotnet/runtime/security/advisories/GHSA-7q4v-2mr6-5gpx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45491"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dotnet/announcements/issues/404"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dotnet/runtime"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45491"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Microsoft Security Advisory CVE-2026-45491 \u2013 .NET Tampering Vulnerability"
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.